The security flaws, discovered through proactive security assessment, impact various file handling and data processing modules across Windows and Linux platforms.
The most severe vulnerability, CVE-2025-26496, carries a critical CVSS v3 score of 9.6 and affects both Tableau Server and Desktop applications.
This type of confusion vulnerability in file upload modules allows attackers to execute local code inclusion attacks, potentially leading to complete system compromise.
The flaw impacts versions before 2025.1.4, before 2024.2.13, and before 2023.3.20.
Four of the five disclosed vulnerabilities involve path traversal attacks, enabling malicious actors to access files and directories outside intended boundaries.
CVE-2025-52450 and CVE-2025-52451 both target the tabdoc API’s create-data-source-from-file-upload modules with CVSS scores of 8.5, classified as high severity.
These vulnerabilities stem from improper pathname limitation and input validation failures, respectively.
The remaining path traversal flaws, CVE-2025-26497 and CVE-2025-26498, affect different server components with CVSS scores of 7.7.
CVE-2025-26497 exploits the Flow Editor modules through unrestricted file uploads, while CVE-2025-26498 targets the establish-connection-no-undo modules using similar attack vectors.
Both vulnerabilities affect Tableau Server installations on Windows and Linux platforms running versions before the patched releases.
| CVE ID | Vulnerability Type | CVSS Score | Severity | Affected Products | Attack Vector |
|---|---|---|---|---|---|
| CVE-2025-26496 | Type Confusion | 9.6 | Critical | Server & Desktop | Local Code Inclusion |
| CVE-2025-26497 | Unrestricted File Upload | 7.7 | High | Server | Path Traversal |
| CVE-2025-26498 | Unrestricted File Upload | 7.7 | High | Server | Path Traversal |
| CVE-2025-52450 | Path Traversal | 8.5 | High | Server | Path Traversal |
| CVE-2025-52451 | Input Validation | 8.5 | High | Server | Path Traversal |
All vulnerabilities affect Tableau Server versions before 2025.1.3, before 2024.2.12, and before 2023.3.19, with the desktop application additionally impacted by the critical type confusion flaw.
The security issues span multiple components, including file upload modules, Flow Editor, connection establishment processes, and data source creation APIs.
Salesforce strongly recommends immediate upgrades to the latest supported maintenance release in each respective branch.
Organizations can download patches from the official Tableau Server Maintenance Release page.
The proactive identification and resolution of these vulnerabilities demonstrates Salesforce’s commitment to maintaining robust security postures across its business intelligence platform ecosystem.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Critical Tableau Server Flaw Enables Malicious File Uploads appeared first on Cyber Security News.
Invincible is returning for its fourth season, which will finally pit Mark against one of…
The GeForce RTX 5070 Ti is an excellent graphics card for gaming at up to…
Lindsey Vaughn, a single mother of three and survivor of family violence, was recognized as…
BRECKENRIDGE, Texas (KTAB/KRBC) - On this week's episode of "Bite of West Texas," host Heather…
ABILENE, Texas (KTAB/KRBC) - Longtime Abilene community leader Steve Abel has died, leaving behind a…
TAYLOR COUNTY, Texas (KTAB/KRBC) -The Taylor County Sheriff's Office is currently 'monitoring' a property that…
This website uses cookies.