CVE's for various vulnerabilities impacting some versions of Tableau Server and Tableau Desktop

Publiceringsdatum: Aug 22, 2025

Beskrivning

Salesforce Security identified and resolved multiple vulnerabilities in Tableau Server as part of a proactive security assessment. Fixes for these issues were included in the July Maintenance Release, published on July 22, 2025.

The vulnerabilities included:

Access of Resource Using Incompatible Type ('Type Confusion')
Unrestricted Upload of File with Dangerous Type
Improper Limitation of a Pathname to a Restricted Directory
Improper Input Validation

This issue affects Tableau Server versions: before 2025.1.3, before 2024.2.12, before 2023.3.19.

All Tableau Server customers are strongly advised to upgrade to the most recent supported version. More information on each vulnerability is provided below.

CVE-2025-26496 - Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Salesforce Tableau Server & Tableau Desktop on Windows, Linux (File Upload modules) allows Local Code Inclusion. This issue affects Tableau Server & Tableau Desktop: before 2025.1.4, before 2024.2.13, before 2023.3.20

CVSSv3 Score: 9.6

CVE-2025-26497- Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (Flow Editor modules) allows Absolute Path Traversal. This issue affects Tableau Server: before 2025.1.4, before 2024.2.13, before 2023.3.20. CVSSv3 Score: 7.7

CVE-2025-26498 - Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (establish-connection-no-undo modules) allows Absolute Path Traversal. This issue affects Tableau Server: before 2025.1.4, before 2024.2.13, before 2023.3.20. CVSSv3 Score: 7.7

CVE-2025-52450 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salesforce Tableau Server on Windows, Linux (tabdoc api - create-data-source-from-file-upload modules) allows Absolute Path Traversal. This issue affects Tableau Server: before 2025.1.4, before 2024.2.13, before 2023.3.20. CVSSv3 Score: 8.5

CVE-2025-52451 - Improper Input Validation vulnerability in Salesforce Tableau Server on Windows, Linux (tabdoc api - create-data-source-from-file-upload modules) allows Absolute Path Traversal. This issue affects Tableau Server: before 2025.1.4, before 2024.2.13, before 2023.3.20. CVSSv3 Score: 8.5

Lösning

Customers should:

Update Tableau Server to the latest supported Maintenance Release in your branch, which can be downloaded from the Tableau Server Maintenance Release page.

Knowledge-artikelnummer

005132575

Löste denna artikel ditt problem?

Berätta för oss vad vi kan förbättra!

CVE's for various vulnerabilities impacting some versions of Tableau Server and Tableau Desktop

Update Tableau Server to the latest supported Maintenance Release in your branch, which can be downloaded from the Tableau Server Maintenance Release page.

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List