Salesforce has addressed multiple critical security vulnerabilities in Tableau Server and Desktop that could enable attackers to upload malicious files and execute arbitrary code.
The vulnerabilities, disclosed on August 22, 2025, were proactively identified during a security assessment and patched in the July 22, 2025 maintenance release.
Critical Type Confusion Vulnerability
The most severe flaw, CVE-2025-26496, scores a critical 9.6 on the CVSS scale and affects the file upload modules in both Tableau Server and Desktop.
This access of resource using incompatible type vulnerability allows local code inclusion, potentially enabling attackers to execute malicious code within the application context. The flaw impacts Windows and Linux installations across multiple product versions.
| CVE ID | Vulnerability Type | CVSS v3 Score | Risk Level |
| CVE-2025-26496 | Access of Resource Using Incompatible Type (‘Type Confusion’) | 9.6 | Critical |
| CVE-2025-26497 | Unrestricted Upload of File with Dangerous Type | 7.7 | High |
| CVE-2025-26498 | Unrestricted Upload of File with Dangerous Type | 7.7 | High |
| CVE-2025-52450 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 8.5 | High |
| CVE-2025-52451 | Improper Input Validation | 8.5 | High |
Four additional vulnerabilities center around unrestricted file upload capabilities and path traversal weaknesses.
CVE-2025-26497 and CVE-2025-26498 both carry CVSS scores of 7.7 and allow absolute path traversal through dangerous file uploads in the Flow Editor and establish-connection-no-undo modules respectively.
Two more high-severity flaws, CVE-2025-52450 and CVE-2025-52451, affect the tabdoc API’s create-data-source-from-file-upload functionality.
Both vulnerabilities score 8.5 on CVSS and enable absolute path traversal through improper pathname limitation and input validation failures.
The vulnerabilities impact Tableau Server versions before 2025.1.4, 2024.2.13, and 2023.3.20. The type confusion flaw also affects corresponding Tableau Desktop versions.
All affected systems run on Windows and Linux platforms, with the vulnerabilities targeting specific modules responsible for file handling and data source creation.
These vulnerabilities create multiple attack vectors for malicious actors. The combination of unrestricted file uploads with path traversal capabilities could allow attackers to write files to arbitrary locations on the server filesystem.
The critical type confusion flaw escalates the threat by potentially enabling code execution, transforming file upload vulnerabilities into full system compromise opportunities.
The affected modules handle core Tableau functionality including data source creation, flow editing, and connection establishment, making these vulnerabilities particularly dangerous for organizations relying on Tableau for business intelligence operations.
Salesforce strongly advises all Tableau Server customers to upgrade immediately to the most recent supported version.
The fixes were included in maintenance releases published July 22, 2025, providing a one-month window between patch availability and public disclosure.
Organizations should prioritize patching systems exposed to untrusted users or networks. Given the file upload nature of these vulnerabilities, administrators should also review access controls around data source creation and file upload functionality while planning upgrade schedules.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
