Multiple critical security vulnerabilities affecting Salesforce’s Tableau Server that could allow attackers to execute remote code, bypass authorization controls, and access sensitive production databases.
The vulnerabilities, revealed through a security advisory published on June 26, 2025, impact Tableau Server versions before 2025.1.3, before 2024.2.12, and before 2023.3.19, prompting urgent calls for immediate patching across enterprise environments.
Key Takeaways
1. Eight critical vulnerabilities affect Tableau Server versions before 2025.1.3, 2024.2.12, and 2023.3.19
2. Enables remote code execution and unauthorized database access.
3. Upgrade to the latest supported version now
High-Severity Flaws in Multiple Tableau Components
The security vulnerabilities span across various Tableau Server modules, presenting a comprehensive attack surface that threat actors could exploit.
The most severe vulnerability, CVE-2025-52449, carries a CVSS 3.1 base score of 8.5 and originates from unrestricted file upload capabilities within the Extensible Protocol Service modules.
This flaw enables Remote Code Execution (RCE) through alternative execution methods due to deceptive filenames, potentially allowing attackers to gain complete system control.
Three additional authorization bypass vulnerabilities (CVE-2025-52446, CVE-2025-52447, and CVE-2025-52448), each scoring 8.0 on the CVSS scale, affect the tab-doc API modules, set-initial-sql tabdoc command modules, and validate-initial-sql API modules, respectively.
These vulnerabilities exploit user-controlled keys to manipulate interfaces, granting unauthorized access to production database clusters containing sensitive organizational data.
Server-Side Request Forgery and Path Traversal Flaws
Server-Side Request Forgery (SSRF) vulnerabilities represent another critical attack vector, with three separate CVEs identified across different components.
CVE-2025-52453 (CVSS 8.2) affects Flow Data Source modules, while CVE-2025-52454 (CVSS 8.2) impacts Amazon S3 Connector modules.
The third SSRF vulnerability, CVE-2025-52455 (CVSS 8.1), targets EPS Server modules.
These vulnerabilities enable resource location spoofing, allowing attackers to manipulate server requests and potentially access internal systems.
A significant path traversal vulnerability designated as CVE-2025-52452 (CVSS 8.5) affects the tabdoc API duplicate-data-source modules.
This improper limitation of pathname restrictions enables absolute path traversal attacks, potentially exposing sensitive files across the server filesystem through directory traversal techniques.
| CVE ID | Vulnerability Title | CVSS 3.1 Score | Severity | 
| CVE-2025-52446 | Authorization Bypass Through User-Controlled Key | 8.0 | High | 
| CVE-2025-52447 | Authorization Bypass Through User-Controlled Key | 8.0 | High | 
| CVE-2025-52448 | Authorization Bypass Through User-Controlled Key | 8.0 | High | 
| CVE-2025-52449 | Unrestricted Upload of File with Dangerous Type | 8.5 | High | 
| CVE-2025-52452 | Improper Limitation of a Pathname to a Restricted Directory | 8.5 | High | 
| CVE-2025-52453 | Server-Side Request Forgery (SSRF) | 8.2 | High | 
| CVE-2025-52454 | Server-Side Request Forgery (SSRF) | 8.2 | High | 
| CVE-2025-52455 | Server-Side Request Forgery (SSRF) | 8.1 | High | 
Mitigations
Salesforce strongly advises all Tableau Server customers to implement immediate remediation measures.
Organizations should update to the latest supported Maintenance Release within their current branch, available through the official Tableau Server Maintenance Release page.
Additionally, customers utilizing Trino (formerly Presto) drivers must update to the most recent driver version to ensure comprehensive protection.
For enterprises running unsupported Tableau Server versions, Salesforce recommends upgrading to compatible supported versions to maintain access to critical security updates and technical support.
Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now




