CVE-2025-26495 – This vulnerability allows Personal Access Token... (How to Fix)

Q: What is the severity of CVE-2025-26495?

CVE-2025-26495 has a CVSS score of 7.5 (HIGH). This vulnerability allows Personal Access Tokens (PATs) to be stored in cleartext within Tableau Server logging repositories. Attackers with access to these logs could steal authentication tokens and impersonate users. This affects all Tableau Server installations running vulnerable versions.

📋 TL;DR

This vulnerability allows Personal Access Tokens (PATs) to be stored in cleartext within Tableau Server logging repositories. Attackers with access to these logs could steal authentication tokens and impersonate users. This affects all Tableau Server installations running vulnerable versions.

💻 Affected Systems

Products:

Salesforce Tableau Server

Versions: Before 2022.1.3, before 2021.4.8, before 2021.3.13, before 2021.2.14, before 2021.1.16, before 2020.4.19

Operating Systems: All supported Tableau Server operating systems

Default Config Vulnerable: ⚠️ Yes

Notes: All Tableau Server deployments with logging enabled are affected. The vulnerability logs PATs during certain operations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to Tableau Server, exfiltrate sensitive business intelligence data, and potentially pivot to connected data sources.

🟠

Likely Case

Unauthorized users access sensitive dashboards and data by using stolen PATs from accessible log files.

🟢

If Mitigated

Limited exposure if logs are properly secured with strict access controls and monitoring.

🌐 Internet-Facing: MEDIUM - While the vulnerability itself doesn't expose logs externally, internet-facing Tableau instances increase attack surface for credential theft.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can easily access logs containing sensitive authentication tokens.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to Tableau Server log files, which typically requires some level of system access or compromised credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2022.1.3, 2021.4.8, 2021.3.13, 2021.2.14, 2021.1.16, 2020.4.19 or later

Vendor Advisory: https://help.salesforce.com/s/articleView?id=000390611&type=1

Restart Required: No

Instructions:

1. Download the appropriate patch version for your Tableau Server release. 2. Run the Tableau Server installer. 3. Follow the upgrade wizard. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict Log File Access

Linux

Apply strict file system permissions to Tableau Server log directories to prevent unauthorized access.

chmod 600 /var/opt/tableau/tableau_server/data/tabsvc/logs/*
chown tableau:tableau /var/opt/tableau/tableau_server/data/tabsvc/logs/*

Rotate Personal Access Tokens

all

Immediately revoke and regenerate all existing PATs to invalidate any potentially logged tokens.

🧯 If You Can't Patch

Implement strict access controls on Tableau Server log directories and files
Enable comprehensive auditing and monitoring of log file access attempts

🔍 How to Verify

Check if Vulnerable:

Check Tableau Server version via Tableau Services Manager (TSM) web interface or command line: tsm version

Check Version:

tsm version

Verify Fix Applied:

Confirm version is patched: tsm version should show 2022.1.3+, 2021.4.8+, 2021.3.13+, 2021.2.14+, 2021.1.16+, or 2020.4.19+

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to Tableau log directories
Suspicious queries using PATs from unexpected IP addresses

Network Indicators:

Unusual API calls to Tableau Server using PAT authentication

SIEM Query:

source="tableau_server" AND (event="log_access" OR event="file_read") AND target_file="*log*" AND user!="tableau_service_account"

📊 Metadata

CVE ID: CVE-2025-26495

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-312

EPSS Score: 0.07% exploit probability (21.7th percentile)

Published: February 11, 2025

Last Updated: October 29, 2025

🔗 References

https://help.salesforce.com/s/articleView?id=000390611&type=1 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26495, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Tableau Server by Tableau

Tableau Server by Tableau

Tableau Server by Tableau

Tableau Server by Tableau

Tableau Server by Tableau

Tableau Server by Tableau

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Log File Access

Rotate Personal Access Tokens

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities