CVE-2025-26494: Tableau Server Auth Bypass Vulnerability

CVE-2025-26494 Overview

CVE-2025-26494 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in Salesforce Tableau Server that enables authentication bypass. The flaw affects Tableau Server versions 2023.3 through 2023.3.5. An authenticated low-privileged attacker can coerce the server to issue requests on their behalf, crossing a security boundary and reaching internal resources without proper authentication.

Critical Impact

An authenticated attacker with low privileges can leverage Tableau Server as a proxy to reach internal services, bypass authentication boundaries, and access sensitive resources reachable from the server. The scope change indicates impact extends beyond the vulnerable component.

Affected Products

• Salesforce Tableau Server 2023.3
• Salesforce Tableau Server versions through 2023.3.5
• Deployments exposing Tableau Server endpoints to authenticated users

Discovery Timeline

• 2025-02-11 - CVE-2025-26494 published to NVD
• 2025-10-29 - Last updated in NVD database

Technical Details for CVE-2025-26494

Vulnerability Analysis

The vulnerability is a Server-Side Request Forgery (SSRF) issue in Tableau Server. SSRF flaws occur when a server-side application accepts user-supplied input that influences the destination of outbound requests. Tableau Server processes URLs or resource identifiers without sufficient validation, allowing an attacker to redirect server-initiated requests to unintended destinations.

The attack vector is network-based and requires low privileges, with no user interaction. The scope is changed, meaning successful exploitation impacts resources beyond Tableau Server itself. Confidentiality impact is high, while integrity and availability impacts are not affected by this issue.

Because the SSRF leads to authentication bypass, the server's identity or network position is leveraged to access endpoints that trust internal requests. Attackers can enumerate internal services, retrieve metadata, or interact with APIs that rely on network-level trust.

Root Cause

The root cause is insufficient validation of URL inputs used by server-side request functionality in Tableau Server. The application does not enforce strict allowlists on protocols, hostnames, or IP ranges before issuing outbound HTTP requests. This permits attacker-controlled URLs to be fetched by the server, including those pointing to internal addresses or authentication-protected endpoints.

Attack Vector

An attacker with authenticated low-privileged access to Tableau Server submits crafted requests containing attacker-controlled URLs. The server processes these URLs and issues outbound requests to the specified destinations. The attacker observes responses or side effects to map internal networks and reach services protected by network-based trust.

The vulnerability manifests when Tableau Server resolves and fetches user-supplied resource identifiers without restricting the destination. Refer to the Salesforce Help Article for vendor technical details.

Detection Methods for CVE-2025-26494

Indicators of Compromise

• Unexpected outbound HTTP requests originating from Tableau Server processes to internal IP ranges or cloud metadata endpoints such as 169.254.169.254
• Tableau Server logs containing requests with URLs referencing localhost, private RFC1918 ranges, or non-HTTP schemes
• Authentication events or API calls to internal services where the source is Tableau Server but the action does not correlate with legitimate workflows

Detection Strategies

• Inspect Tableau Server application logs for parameters containing URLs that resolve to internal hosts, loopback addresses, or cloud metadata services
• Correlate network flow data with Tableau Server host activity to identify anomalous lateral connections to internal management interfaces
• Alert on Tableau Server initiating connections to ports or protocols outside its documented baseline

Monitoring Recommendations

• Capture and retain web server and application logs from Tableau Server with full URL parameters for forensic review
• Monitor egress from Tableau Server hosts and apply egress filtering rules to flag connections to sensitive internal subnets
• Track authentication anomalies on internal services that trust requests originating from the Tableau Server network segment

How to Mitigate CVE-2025-26494

Immediate Actions Required

• Identify all Tableau Server instances running versions 2023.3 through 2023.3.5 and prioritize them for patching
• Apply the vendor-provided update referenced in the Salesforce Help Article
• Restrict outbound network access from Tableau Server hosts to only required destinations
• Audit existing authenticated users and remove unnecessary low-privilege accounts that could be abused

Patch Information

Salesforce has published guidance for this issue. Administrators should consult the Salesforce Help Article for the fixed version and upgrade instructions. Upgrade Tableau Server beyond version 2023.3.5 to a release that addresses CVE-2025-26494.

Workarounds

• Implement egress filtering at the network layer to block Tableau Server from reaching internal management interfaces, cloud metadata endpoints, and unrelated internal subnets
• Place Tableau Server in a network segment with restricted east-west connectivity to limit reachable targets if SSRF is exploited
• Enforce least-privilege access on internal services so that requests originating from Tableau Server require explicit authentication rather than network-based trust
• Review and reduce the set of users with authenticated access to Tableau Server until patching is complete

# Example egress restriction using iptables to block metadata and loopback abuse
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 ! -o lo -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -m owner --uid-owner tableau -j REJECT