What vulnerabilities were patched in Salesforce Tableau Server and Desktop?

Salesforce patched multiple vulnerabilities in Tableau Server and Tableau Desktop, including CVE-2025-26496 (CVSS 9.6), CVE-2025-52451 (CVSS 8.5), CVE-2025-52450 (CVSS 8.5), CVE-2025-26497 (CVSS 7.7), and CVE-2025-26498 (CVSS 7.7). These vulnerabilities potentially enable authenticated attackers to write files to arbitrary locations, execute malicious code, and compromise entire Tableau instances.

What is the most severe Tableau vulnerability discovered?

CVE-2025-26496 is the most severe vulnerability with a CVSS score of 9.6. It's an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability affecting Salesforce Tableau Server & Tableau Desktop on Windows and Linux that allows Local Code Inclusion and could enable attackers to execute malicious code.

What can attackers do with these Tableau vulnerabilities?

These vulnerabilities potentially enable authenticated attackers to write files to arbitrary locations on the server filesystem, execute malicious code, and compromise entire Tableau instances. The most severe vulnerability (CVE-2025-26496) allows for local code inclusion and malicious code execution.

What versions of Tableau are affected by these vulnerabilities?

The vulnerabilities impact Tableau Server versions before 2025.1.4, before 2024.2.13, and before 2023.3.20. The type confusion flaw (CVE-2025-26496) also affects corresponding Tableau Desktop versions. All affected systems run on Windows and Linux platforms.

What platforms are affected by the Tableau vulnerabilities?

All the discovered vulnerabilities affect Tableau Server and Desktop installations running on both Windows and Linux platforms.

What are the path traversal vulnerabilities in Tableau?

Multiple path traversal vulnerabilities were discovered: CVE-2025-52451 and CVE-2025-52450 (both CVSS 8.5) affecting tabdoc api create-data-source-from-file-upload modules, CVE-2025-26497 (CVSS 7.7) affecting Flow Editor modules, and CVE-2025-26498 (CVSS 7.7) affecting establish-connection-no-undo modules. All allow Absolute Path Traversal and could enable attackers to write files to arbitrary locations on the server filesystem.

Which Tableau systems should be prioritized for patching?

Organizations should prioritize patching Tableau systems that are exposed to untrusted (external) users or networks, as these present the highest risk for exploitation of the discovered vulnerabilities.

What modules are affected by the Tableau vulnerabilities?

The vulnerabilities affect various Tableau modules including File Upload modules (CVE-2025-26496), tabdoc api create-data-source-from-file-upload modules (CVE-2025-52451 and CVE-2025-52450), Flow Editor modules (CVE-2025-26497), and establish-connection-no-undo modules (CVE-2025-26498).

Advisory

Salesforce patches multiple flaws in Tableau Server, at least one critical

published: Aug. 25, 2025

Take action: If you use Tableau Server or Tableau Desktop, plan an update to the latest version - especially if you have external untrusted users on the server. Even if you only have internal users, it's still wise to patch, because user accounts can be hacked via infostealers, phishing or malware. Or just have a disgruntled employee.

Learn More

Salesforce has patched multiple vulnerabilities in Tableau Server and Tableau Desktop. The vulnerabilities potentially enablr authenticated attackers to write files to arbitrary locations, execute malicious code, and compromise entire Tableau instances.

Vulnerabilities summary

CVE-2025-26496 (CVSS score 9.6) - Access of Resource Using Incompatible Type ('Type Confusion') vulnerability affecting Salesforce Tableau Server & Tableau Desktop on Windows, Linux (File Upload modules) allows Local Code Inclusion. It could enable attackers to execute malicious code.
CVE-2025-52451 (CVSS score 8.5) - Improper Input Validation vulnerability affecting Salesforce Tableau Server on Windows, Linux (tabdoc api - create-data-source-from-file-upload modules) allows Absolute Path Traversal. It could allow attackers to write files to arbitrary locations on the server filesystem.
CVE-2025-52450 (CVSS score 8.5) - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability affecting Salesforce Tableau Server on Windows, Linux (tabdoc api - create-data-source-from-file-upload modules) allows Absolute Path Traversal. It could allow attackers to write files to arbitrary locations on the server filesystem.
CVE-2025-26497 (CVSS score 7.7) - Unrestricted Upload of File with Dangerous Type vulnerability affecting Salesforce Tableau Server on Windows, Linux (Flow Editor modules) allows Absolute Path Traversal. It could allow attackers to write files to arbitrary locations on the server filesystem.
CVE-2025-26498 (CVSS score 7.7) - Unrestricted Upload of File with Dangerous Type vulnerability affecting Salesforce Tableau Server on Windows, Linux (establish-connection-no-undo modules) allows Absolute Path Traversal. It could allow attackers to write files to arbitrary locations on the server filesystem.

The vulnerabilities impact Tableau Server versions before 2025.1.4, before 2024.2.13, and before 2023.3.20. Тhe type confusion flaw also affecting corresponding Tableau Desktop versions. All affected systems run on Windows and Linux platforms.

Salesforce strongly advises all Tableau Server customers to upgrade immediately to the most recent supported version. Organizations should prioritize patching systems that are exposed to untrusted (external) users or networks.

Salesforce patches multiple flaws in Tableau Server, at least one critical

Read More
Unpatched Citrix NetScaler Systems Targeted
SolarWinds patches critical vulnerabilities in Serv-U
Multiple security flaws reported in Versa Concerto platform, …
Another critical Confluence vulnerability - patch ASAP
IBM fixes a critical security flaw in Power …