RCE, SSRF & Data Exposure: Salesforce Patches 8 Serious Flaws in Tableau Server

Salesforce has released a security advisory addressing eight serious vulnerabilities affecting multiple versions of Tableau Server, the widely used data visualization and business intelligence platform. Disclosed and patched in the June 26, 2025 Maintenance Release, these flaws include issues that could lead to remote code execution, production database exposure, and server-side request forgery (SSRF).

CVE-2025-52446, CVE-2025-52447, CVE-2025- 52448 – Unauthorized Database Access via Arbitrary SQL

These three vulnerabilities stem from improper authorization controls within Tableau’s tab-doc API, set-initial-sql, and validate-initial-sql features. Exploiting these flaws allows a user to manipulate session-level settings and send arbitrary SQL statements to the production database clusters. This means an attacker could potentially gain elevated access to backend systems and exfiltrate or modify critical data. These flaws are particularly dangerous because they bypass intended isolation boundaries between users and production infrastructure.

CVE-2025-52449 – Remote Code Execution via Malicious File Upload

In one of the most severe issues identified, Salesforce reports a vulnerability in Tableau’s Extensible Protocol Service that allows for unrestricted file uploads. By disguising executable files with deceptive filenames, attackers can upload malicious payloads and trigger their execution on the server. The system’s inability to verify the integrity or intent of uploaded files leaves it vulnerable to full remote code execution (RCE).

CVE-2025-52452 – Absolute Path Traversal Leads to Sensitive File Exposure

Another critical vulnerability affects the duplicate-data-source module in the tabdoc API. This absolute path traversal vulnerability lets attackers craft requests that bypass directory restrictions, allowing them to read arbitrary files from the host system. Such access may expose sensitive configuration files, stored credentials, or internal logs that could be used in subsequent attacks.

CVE-2025-52453, CVE-2025-52454, CVE-2025-52455 – Server-Side Request Forgery in Multiple Components

Three related SSRF vulnerabilities were identified in the Flow Data Source, Amazon S3 Connector, and EPS Server modules. These allow attackers to craft requests that force Tableau Server to initiate network connections to internal or external systems without authorization. With SSRF, a threat actor could target cloud metadata services, internal administrative endpoints, or restricted databases—bypassing firewall rules and potentially pivoting deeper into an organization’s infrastructure.

The vulnerabilities impact Tableau Server versions:

• Before 2025.1.3
• Before 2024.2.12
• Before 2023.3.19

According to the advisory, attackers could exploit these flaws to gain unauthorized access to production databases, upload and execute malicious files, and spoof resource locations using SSRF.

Salesforce urges all administrators to update to the latest supported release to avoid potential exploitation.

Related Posts:

• Salesforce OmniStudio Flaws Expose Encrypted Data
• UNC6040 Threat Actor Exploits Salesforce via Vishing and Malicious Data Loader Apps