Salesforce has addressed multiple high-severity vulnerabilities affecting Tableau Server and Tableau Desktop as part of its July Maintenance Release, published on July 22, 2025.
The security flaws, discovered through proactive security assessment, impact various file handling and data processing modules across Windows and Linux platforms.
The most severe vulnerability, CVE-2025-26496, carries a critical CVSS v3 score of 9.6 and affects both Tableau Server and Desktop applications.
This type of confusion vulnerability in file upload modules allows attackers to execute local code inclusion attacks, potentially leading to complete system compromise.
The flaw impacts versions before 2025.1.4, before 2024.2.13, and before 2023.3.20.
Path Traversal Vulnerabilities Dominate Security Bulletin
Four of the five disclosed vulnerabilities involve path traversal attacks, enabling malicious actors to access files and directories outside intended boundaries.
CVE-2025-52450 and CVE-2025-52451 both target the tabdoc API’s create-data-source-from-file-upload modules with CVSS scores of 8.5, classified as high severity.
These vulnerabilities stem from improper pathname limitation and input validation failures, respectively.
The remaining path traversal flaws, CVE-2025-26497 and CVE-2025-26498, affect different server components with CVSS scores of 7.7.
CVE-2025-26497 exploits the Flow Editor modules through unrestricted file uploads, while CVE-2025-26498 targets the establish-connection-no-undo modules using similar attack vectors.
Both vulnerabilities affect Tableau Server installations on Windows and Linux platforms running versions before the patched releases.
Comprehensive Vulnerability Overview
| CVE ID | Vulnerability Type | CVSS Score | Severity | Affected Products | Attack Vector |
|---|---|---|---|---|---|
| CVE-2025-26496 | Type Confusion | 9.6 | Critical | Server & Desktop | Local Code Inclusion |
| CVE-2025-26497 | Unrestricted File Upload | 7.7 | High | Server | Path Traversal |
| CVE-2025-26498 | Unrestricted File Upload | 7.7 | High | Server | Path Traversal |
| CVE-2025-52450 | Path Traversal | 8.5 | High | Server | Path Traversal |
| CVE-2025-52451 | Input Validation | 8.5 | High | Server | Path Traversal |
All vulnerabilities affect Tableau Server versions before 2025.1.3, before 2024.2.12, and before 2023.3.19, with the desktop application additionally impacted by the critical type confusion flaw.
The security issues span multiple components, including file upload modules, Flow Editor, connection establishment processes, and data source creation APIs.
Salesforce strongly recommends immediate upgrades to the latest supported maintenance release in each respective branch.
Organizations can download patches from the official Tableau Server Maintenance Release page.
The proactive identification and resolution of these vulnerabilities demonstrates Salesforce’s commitment to maintaining robust security postures across its business intelligence platform ecosystem.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1)%20(1).webp?resize=1600,900&ssl=1&description=The security flaws, discovered through proactive security assessment, impact various file handling and data processing modules across Windows and Linux platforms.){kind=link}