CVE-2025-26496 Overview
CVE-2025-26496 is a Type Confusion vulnerability (CWE-843) affecting Salesforce Tableau Server and Tableau Desktop on Windows and Linux platforms. The vulnerability exists within the File Upload modules and allows attackers to achieve Local Code Inclusion. By exploiting improper type handling during file upload operations, an attacker can manipulate resource access in a way that leads to code execution with elevated privileges.
Critical Impact
This Type Confusion vulnerability enables Local Code Inclusion, potentially allowing attackers to execute arbitrary code and compromise Tableau Server or Desktop installations. The vulnerability can affect confidentiality, integrity, and availability of affected systems.
Affected Products
- Tableau Server versions before 2025.1.3
- Tableau Server versions before 2024.2.12
- Tableau Server versions before 2023.3.19
- Tableau Desktop versions before 2025.1.3
- Tableau Desktop versions before 2024.2.12
- Tableau Desktop versions before 2023.3.19
Discovery Timeline
- 2025-08-22 - CVE-2025-26496 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2025-26496
Vulnerability Analysis
The vulnerability stems from a Type Confusion flaw in the File Upload modules of Tableau Server and Tableau Desktop. Type Confusion vulnerabilities occur when code accesses a resource using an incompatible type, which can lead to memory corruption or unexpected behavior. In this case, the improper type handling during file upload operations creates an opportunity for attackers to inject and include local code.
The local attack vector requires the attacker to have access to the target system, though no privileges are required to exploit the vulnerability. Successful exploitation can result in a scope change, meaning the vulnerability can impact resources beyond the vulnerable component's security scope. This includes high impact to confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause of CVE-2025-26496 is improper type validation in the File Upload modules. When processing uploaded files, the application fails to properly verify the type of resources being accessed, leading to a Type Confusion condition. This allows attackers to craft malicious uploads that are interpreted as a different resource type than intended, enabling code inclusion.
Attack Vector
The attack requires local access to the vulnerable system. An attacker can exploit this vulnerability by:
- Preparing a malicious file crafted to exploit the Type Confusion condition
- Uploading the file through Tableau's File Upload modules
- Triggering the type confusion during file processing
- Achieving Local Code Inclusion to execute arbitrary code
The attack requires no user interaction and no prior privileges on the system. Due to the scope change characteristic, successful exploitation can impact resources beyond the Tableau application itself, potentially compromising the underlying operating system.
The vulnerability mechanism involves the File Upload modules incorrectly handling resource types during file processing. When a specially crafted file is uploaded, the type confusion allows the attacker to include and execute local code. For detailed technical information, refer to the Salesforce Help Article.
Detection Methods for CVE-2025-26496
Indicators of Compromise
- Unusual file upload activity to Tableau Server or Desktop, particularly files with unexpected extensions or headers
- Unexpected process spawning from Tableau Server or Desktop processes
- Evidence of unauthorized code execution or file modifications in Tableau installation directories
- Anomalous system calls originating from Tableau processes
Detection Strategies
- Monitor file upload operations to Tableau Server for malformed or suspicious file types
- Implement application-level logging to capture detailed file processing events in Tableau modules
- Deploy endpoint detection and response (EDR) solutions to identify code inclusion attempts
- Configure behavioral analysis to detect unusual process activity from Tableau executables
Monitoring Recommendations
- Enable verbose logging for Tableau Server and Desktop file upload operations
- Implement real-time alerting for suspicious file processing behavior
- Monitor for new or modified files in Tableau installation directories
- Review system logs for evidence of local code execution attempts
How to Mitigate CVE-2025-26496
Immediate Actions Required
- Update Tableau Server to version 2025.1.3, 2024.2.12, or 2023.3.19 or later depending on your version branch
- Update Tableau Desktop to version 2025.1.3, 2024.2.12, or 2023.3.19 or later depending on your version branch
- Restrict access to Tableau Server and Desktop systems to authorized users only
- Implement network segmentation to limit potential attack surface
Patch Information
Salesforce has released security patches addressing CVE-2025-26496 in the following versions:
- Tableau Server and Desktop 2025.1.3 and later
- Tableau Server and Desktop 2024.2.12 and later
- Tableau Server and Desktop 2023.3.19 and later
Organizations should prioritize patching based on deployment criticality. For detailed patch information and download links, refer to the Salesforce Help Article.
Workarounds
- Restrict file upload functionality to trusted users only until patching is complete
- Implement additional access controls on systems running Tableau Server or Desktop
- Monitor file upload activity for suspicious patterns
- Consider temporarily disabling file upload features if feasible in your environment
# Example: Restrict Tableau Server access to specific users (Windows)
# Adjust local security policies to limit access to the Tableau Server installation
icacls "C:\Program Files\Tableau\Tableau Server" /inheritance:r /grant "DOMAIN\TrustedTableauUsers":F
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
