A severe security flaw has been discovered in Tableau Server, which could allow attackers to upload and execute malicious files, leading to full system takeover.
This vulnerability, tracked as CVE-2025-26496 with a CVSS score of 9.6, impacts several versions of Tableau Server and Tableau Desktop on both Windows and Linux platforms.
Key Highlights
- Attackers can exploit Tableau Server to upload harmful files and execute arbitrary code using type confusion techniques.
- Five vulnerabilities were identified, enabling file upload bypasses and path traversal attacks.
- Immediate patching is required for all vulnerable Tableau Server versions.
Tableau Server File Upload Flaws
Salesforce Security uncovered five distinct weaknesses during a proactive audit. Fixes were rolled out in the July 22, 2025 Maintenance Release.
The most dangerous issue, CVE-2025-26496, stems from Type Confusion within the File Upload modules. This flaw could allow Local Code Inclusion attacks, enabling execution of malicious scripts on compromised systems.
Affected Versions:
- Tableau Server before 2025.1.4
- Tableau Server before 2024.2.13
- Tableau Server before 2023.3.20
The flaw occurs when the system mishandles data types during file processing, allowing attackers to bypass controls and execute arbitrary payloads.
Additional File Upload Vulnerabilities
Two other dangerous bugs, CVE-2025-26497 and CVE-2025-26498 (both CVSS 7.7), were also reported. These involve Unrestricted File Uploads within the Flow Editor and establish-connection-no-undo modules.
Attackers could abuse these flaws to launch Absolute Path Traversal attacks, enabling them to plant files in arbitrary server directories.
Path Traversal Weaknesses
Two high-severity path traversal bugs were also confirmed:
- CVE-2025-52450 – Improper restriction of directory paths (CVSS 8.5).
- CVE-2025-52451 – Improper input validation (CVSS 8.5).
These impact the tabdoc API (create-data-source-from-file-upload modules).
Attackers can exploit weak validation to bypass path sanitization using double encoding (%252e%252e%252f) or Unicode tricks, allowing access to sensitive files or even overwriting system configs.
Such exploitation could result in persistent access via webshells, data theft, or privilege escalation inside enterprise networks.
IOCs (Indicators of Compromise)
| CVE ID | Vulnerability Type | CVSS 3.1 Score | Severity |
|---|---|---|---|
| CVE-2025-26496 | Type Confusion in File Upload (Local Code Inclusion) | 9.6 | Critical |
| CVE-2025-26497 | Dangerous File Upload in Flow Editor | 7.7 | High |
| CVE-2025-26498 | Dangerous File Upload in establish-connection module | 7.7 | High |
| CVE-2025-52450 | Path Traversal – Improper Directory Restriction | 8.5 | High |
| CVE-2025-52451 | Path Traversal – Improper Input Validation | 8.5 | High |
Recommended Actions
- Upgrade immediately to the patched Tableau Server versions released on July 22, 2025.
- Review access logs for abnormal file upload activity.
- Deploy Web Application Firewall (WAF) rules to detect and block path traversal attempts.
- Perform post-patch security checks to confirm systems were not previously compromised.
image import
Failure to patch leaves organizations exposed to remote code execution, ransomware deployment, and data breaches. Security teams must treat this as a high-priority emergency.
