CVE-2025-52446
📋 TL;DR
An authorization bypass vulnerability in Salesforce Tableau Server allows attackers to manipulate interface parameters and gain unauthorized access to production database clusters. This affects Tableau Server installations on Windows and Linux systems running vulnerable versions. Attackers can potentially access sensitive data they shouldn't have permission to view.
💻 Affected Systems
- Salesforce Tableau Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of production database clusters, leading to data exfiltration, data manipulation, or service disruption affecting all Tableau Server data.
Likely Case
Unauthorized access to sensitive business intelligence data, dashboards, and reports that should be restricted, potentially exposing confidential information.
If Mitigated
Limited impact if proper network segmentation, least privilege access controls, and monitoring are in place to detect unusual database access patterns.
🎯 Exploit Status
Requires some level of access to Tableau Server interface. The CWE-639 indicates user-controlled key manipulation, suggesting attackers need to be able to interact with the interface but not necessarily have valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.1.3, 2024.2.12, or 2023.3.19 depending on your version track
Vendor Advisory: https://help.salesforce.com/s/articleView?id=005105043&type=1
Restart Required: Yes
Instructions:
1. Identify your current Tableau Server version. 2. Download appropriate patch from Salesforce portal. 3. Apply patch following Tableau Server upgrade procedures. 4. Restart Tableau Server services. 5. Verify successful upgrade.
🔧 Temporary Workarounds
Network segmentation and access controls
allRestrict network access to Tableau Server interfaces and backend database clusters
API rate limiting and monitoring
allImplement rate limiting on tab-doc API endpoints and monitor for unusual access patterns
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Tableau Server from production databases
- Enable detailed logging and monitoring for all database access attempts through Tableau interfaces
🔍 How to Verify
Check if Vulnerable:
Check Tableau Server version via Tableau Server Management Console or command: 'tsm version' on Linux or check Windows servicesCheck Version:
tsm version (Linux) or check Tableau Server Management Console (Windows)Verify Fix Applied:
Verify version is 2025.1.3 or higher, 2024.2.12 or higher, or 2023.3.19 or higher depending on track📡 Detection & Monitoring
Log Indicators:
- Unusual database access patterns from Tableau Server
- Multiple failed authorization attempts followed by successful access
- Access to database objects outside normal user permissions
Network Indicators:
- Unusual traffic between Tableau Server and database clusters
- Multiple rapid API calls to tab-doc endpoints
SIEM Query:
source="tableau_server" AND (event_type="database_access" OR api_endpoint="tab-doc") AND user_permission="elevated"