Salesforce Security has identified and patched five distinct vulnerabilities in Tableau Server and Tableau Desktop, with the fixes released in the July 22, 2025, Maintenance Release. The most severe of these, CVE-2025-26496, is a critical vulnerability with a CVSS score of 9.6. It’s categorized as ‘Access of Resource Using Incompatible Type’ or Type Confusion, affecting the file upload modules. This vulnerability allows for Local Code Inclusion attacks, enabling attackers to execute arbitrary code on the compromised system. The affected versions include Tableau Server versions before 2025.1.4, before 2024.2.13, and before 2023.3.20.
The type confusion flaw (CVE-2025-26496) occurs when the application misinterprets the data type of a file during the upload process. This misinterpretation can be exploited to bypass security checks and execute malicious code. Additionally, two other critical vulnerabilities, CVE-2025-26497 and CVE-2025-26498, both with a CVSS score of 7.7, are present. These are Unrestricted File Upload vulnerabilities affecting the Flow Editor and establish-connection-no-undo modules, respectively. These flaws enable Absolute Path Traversal attacks, where an attacker can write files to any location on the server’s filesystem.
Two additional path traversal vulnerabilities, CVE-2025-52450 and CVE-2025-52451, both rated with a CVSS score of 8.5, were found in the tabdoc API’s create-data-source-from-file-upload modules. CVE-2025-52450 is an ‘Improper Limitation of a Pathname to a Restricted Directory’ vulnerability. CVE-2025-52451 involves ‘Improper Input Validation’. Both of these vulnerabilities allow attackers to perform directory traversal attacks. By using malicious payloads, they can access sensitive system files outside the designated upload directory.
The improper input validation vulnerability (CVE-2025-52451) is particularly dangerous as it allows attackers to bypass standard path sanitization mechanisms. This can be achieved through techniques such as double encoding (%252e%252e%252f) or Unicode normalization attacks. These methods obfuscate the malicious file path, allowing it to bypass security filters. Attackers can leverage these flaws to gain access to configuration files, overwrite critical system files, or plant webshells—malicious scripts that provide a persistent backdoor for remote access.
The core issue across all these vulnerabilities is the inadequate validation of user-supplied file paths and data types. In an enterprise environment, a successful exploit could lead to a complete system compromise. From there, attackers could perform lateral movement—moving through the network to access other systems—and privilege escalation—gaining higher levels of access. Given the severity of these flaws and their potential impact, all administrators of Tableau Server and Tableau Desktop should apply the latest security patches immediately to mitigate the risk of exploitation.
Reference:
