Salesforce has disclosed a series of critical security vulnerabilities in its Tableau Server platform that could allow attackers to execute remote code and gain unauthorized access to production databases.
The vulnerabilities, announced on June 26, 2025, affect multiple versions of Tableau Server and carry CVSS scores ranging from 8.0 to 8.5, indicating severe security risks that require immediate attention.
Critical Salesforce Flaws
Salesforce sent urgent notifications to all active Tableau Server portal administrators and security contacts regarding eight critical vulnerabilities addressed in the June Maintenance Release.
The company is strongly advising all Tableau Server customers to upgrade to the most recent supported version immediately to mitigate these security risks.
| CVE ID | Vulnerability Type | CVSS Score | Affected Component |
| CVE-2025-52446 | Authorization Bypass | 8.0 | tab-doc api modules |
| CVE-2025-52447 | Authorization Bypass | 8.0 | set-initial-sql tabdoc command modules |
| CVE-2025-52448 | Authorization Bypass | 8.0 | validate-initial-sql api modules |
| CVE-2025-52449 | Unrestricted File Upload (RCE) | 8.5 | Extensible Protocol Service modules |
| CVE-2025-52452 | Path Traversal | 8.5 | tabdoc api – duplicate-data-source modules |
| CVE-2025-52453 | Server-Side Request Forgery | 8.2 | Flow Data Source modules |
| CVE-2025-52454 | Server-Side Request Forgery | 8.2 | Amazon S3 Connector modules |
| CVE-2025-52455 | Server-Side Request Forgery | 8.1 | EPS Server modules |
The affected versions include Tableau Server installations before 2025.1.3, before 2024.2.12, and before 2023.3.19.
Organizations running any of these versions are particularly vulnerable to potential attacks that could compromise their entire data infrastructure.
The discovered vulnerabilities encompass several dangerous attack vectors that could severely compromise organizational security.
Remote Code Execution (RCE) capabilities represent the most critical threat, allowing attackers to execute arbitrary code on affected systems.
Additionally, the flaws enable Production Database Access via Arbitrary SQL, potentially exposing sensitive corporate data to unauthorized parties.
Other significant security risks include Local File Exposure and Server Side Request Forgery (SSRF) attacks, which could allow malicious actors to access restricted files and manipulate server requests.
These vulnerabilities collectively create a comprehensive attack surface that cybercriminals could exploit to gain extensive control over affected systems.
The severity and scope of these vulnerabilities make immediate patching essential for all Tableau Server deployments.
Organizations should prioritize updating their systems to the latest supported versions and conduct thorough security assessments to ensure no compromise has occurred.
Given the high CVSS scores and the potential for remote code execution, delaying these updates could result in significant security breaches and data compromise.
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now