CVE-2025-26496 (CVSS 9.6): Critical Flaw in Tableau Server Expose Enterprises to Code Execution Risks

Salesforce Security has announced the resolution of multiple vulnerabilities in Tableau Server, identified during a proactive security assessment. The flaws, which were patched in the July 22, 2025 Maintenance Release, posed significant risks to enterprises running unpatched versions of Tableau Server.

The issues affected Tableau Server versions before 2025.1.3, 2024.2.12, and 2023.3.19. Customers are strongly urged to update to the latest supported release. The vulnerabilities include:

• CVE-2025-26496 – Type Confusion (CVSS 9.6)
  A flaw in Tableau Server and Tableau Desktop (File Upload modules) that could lead to Local Code Inclusion. Salesforce notes, “Access of Resource Using Incompatible Type (‘Type Confusion’) vulnerability … allows Local Code Inclusion.”
• CVE-2025-26497 & CVE-2025-26498 – Dangerous File Uploads (CVSS 7.7)
  These vulnerabilities, found in the Flow Editor and establish-connection-no-undo modules, allowed attackers to perform Absolute Path Traversal.
• CVE-2025-52450 – Path Traversal (CVSS 8.5)
  An Improper Limitation of Pathname in the tabdoc API could allow attackers to bypass directory restrictions and gain unauthorized file access.
• CVE-2025-52451 – Improper Input Validation (CVSS 8.5)
  Another issue in the tabdoc API that enabled Absolute Path Traversal, underscoring weaknesses in input validation within the file upload mechanism.

With CVSS scores ranging up to 9.6, these vulnerabilities fall into the critical to high severity range. Exploitation could allow attackers to execute malicious code, bypass directory protections, or manipulate file uploads—serious risks in environments where Tableau Server is integrated into enterprise reporting and analytics workflows.

Salesforce has released fixes across supported versions. The advisory states: “Customers should update Tableau Server to the latest supported Maintenance Release in your branch, which can be downloaded from the Tableau Server Maintenance Release page.”

Affected customers should upgrade immediately to:

• 2025.1.4 or later
• 2024.2.13 or later
• 2023.3.20 or later

The patches are available via the Tableau Server Maintenance Release page.

Related Posts:

• RCE, SSRF & Data Exposure: Salesforce Patches 8 Serious Flaws in Tableau Server
• Multiple Vulnerabilities Discovered in PHP, Prompting Urgent Security Updates

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy