CVE-2025-26496
📋 TL;DR
This CVE describes a type confusion vulnerability in Salesforce Tableau's file upload modules that allows local attackers to include and execute arbitrary code. It affects Tableau Server and Tableau Desktop installations on Windows and Linux systems. The vulnerability requires local access to the affected system.
💻 Affected Systems
- Tableau Server
- Tableau Desktop
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with complete administrative control, data exfiltration, and persistent backdoor installation.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive Tableau data and configuration files.
If Mitigated
Limited impact due to proper access controls and network segmentation restricting local attack surface.
🎯 Exploit Status
Requires local access and knowledge of the file upload functionality. Type confusion vulnerabilities often require specific conditions to trigger.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.1.3, 2024.2.12, or 2023.3.19 depending on your version track
Vendor Advisory: https://help.salesforce.com/s/articleView?id=005132575&type=1
Restart Required: Yes
Instructions:
1. Identify your current Tableau version. 2. Download the appropriate patch from Salesforce Tableau downloads. 3. Apply the patch following Tableau's upgrade documentation. 4. Restart Tableau services.
🔧 Temporary Workarounds
Restrict local access
allLimit local user access to Tableau systems to only authorized administrators
Disable unnecessary file uploads
allConfigure Tableau to restrict or disable file upload functionality if not required
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to Tableau systems
- Monitor for suspicious file upload activities and local privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Tableau version against affected versions. On Tableau Server: Check admin settings or use 'tabadmin version' command.Check Version:
Tableau Server: 'tabadmin version' or check Admin Settings. Tableau Desktop: Help > About Tableau.Verify Fix Applied:
Verify version is 2025.1.3 or higher, 2024.2.12 or higher, or 2023.3.19 or higher depending on track.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload activities
- Privilege escalation attempts in system logs
- Unexpected process execution from Tableau context
Network Indicators:
- Unusual outbound connections from Tableau servers
- Lateral movement attempts from Tableau systems
SIEM Query:
source="tableau*" AND (event_type="file_upload" OR process_execution="unusual")