CVE-2025-26497 Overview
CVE-2025-26497 is an unrestricted file upload vulnerability affecting Salesforce Tableau Server on Windows and Linux. The flaw resides in the Flow Editor modules and allows absolute path traversal through file uploads of dangerous types. The weakness is classified under CWE-434, Unrestricted Upload of File with Dangerous Type. Attackers can exploit the issue over the network without authentication or user interaction. Affected releases include Tableau Server versions before 2025.1.3, 2024.2.12, and 2023.3.19.
Critical Impact
Unauthenticated remote attackers can upload files with dangerous types and write them to arbitrary absolute paths on the Tableau Server host, threatening confidentiality, integrity, and availability.
Affected Products
- Tableau Server on Windows (versions before 2025.1.3, 2024.2.12, and 2023.3.19)
- Tableau Server on Linux (versions before 2025.1.3, 2024.2.12, and 2023.3.19)
- Tableau Server Flow Editor modules
Discovery Timeline
- 2025-08-22 - CVE-2025-26497 published to the National Vulnerability Database (NVD)
- 2025-11-06 - Last updated in the NVD database
Technical Details for CVE-2025-26497
Vulnerability Analysis
The vulnerability stems from inadequate validation of uploaded files within the Flow Editor modules of Tableau Server. The Flow Editor accepts file uploads without sufficiently restricting file type or destination path. Combined with absolute path traversal, an attacker can dictate where the uploaded content lands on disk.
The issue is reachable over the network and requires no privileges or user interaction. Successful exploitation can compromise the integrity of server-side files, expose data, and disrupt service availability. Depending on the chosen write location, an attacker could overwrite configuration files or place executable content in locations consumed by Tableau Server processes.
Root Cause
The root cause is missing or insufficient validation of file content, file extension, and target path during upload handling in Flow Editor. The server honors absolute paths supplied through upload parameters instead of normalizing them to a controlled directory. This combination realizes the [CWE-434] weakness category.
Attack Vector
An unauthenticated remote attacker sends a crafted upload request to a vulnerable Tableau Server endpoint exposed by the Flow Editor module. The request specifies a dangerous file type and an absolute path outside the intended storage directory. The server writes the attacker-controlled file to that location, enabling follow-on attacks against the host or hosted content.
The vulnerability mechanism is described in the Salesforce Help Article. No public proof-of-concept code is available, and CVE-2025-26497 is not currently listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-26497
Indicators of Compromise
- Unexpected files appearing outside standard Tableau Server data directories, particularly executables, scripts, or web payloads written via absolute paths.
- HTTP requests to Flow Editor upload endpoints containing absolute path values (for example, strings beginning with / on Linux or C:\ on Windows) in filename or path parameters.
- New or modified files in Tableau Server binary, configuration, or web-accessible directories that do not correlate with administrator activity.
Detection Strategies
- Inspect Tableau Server access logs for POST requests to Flow Editor endpoints containing path traversal sequences or absolute path indicators.
- Monitor file system audit events on Tableau Server hosts for writes by the Tableau service account outside expected working directories.
- Correlate web request logs with file creation events to identify uploads that landed in unauthorized locations.
Monitoring Recommendations
- Enable verbose logging on Tableau Server and forward logs to a centralized analytics platform for retention and search.
- Apply file integrity monitoring to Tableau Server installation, configuration, and web content directories.
- Alert on process executions originating from directories that should contain only static content or uploaded flow artifacts.
How to Mitigate CVE-2025-26497
Immediate Actions Required
- Upgrade Tableau Server to a fixed release: 2025.1.3 or later, 2024.2.12 or later, or 2023.3.19 or later, depending on the deployed branch.
- Restrict network exposure of Tableau Server, especially Flow Editor endpoints, to trusted networks until patching is complete.
- Review Tableau Server file systems for unexpected files written outside designated upload and content directories.
Patch Information
Salesforce has published fixed versions of Tableau Server addressing this issue. Refer to the vendor advisory in the Salesforce Help Article for full remediation guidance and version mapping. Patched builds include Tableau Server 2025.1.3, 2024.2.12, and 2023.3.19.
Workarounds
- Place Tableau Server behind a web application firewall configured to block requests containing absolute paths or path traversal sequences in upload parameters.
- Limit access to Flow Editor functionality at the network layer until the upgrade is applied.
- Run the Tableau Server service under a least-privileged account so that unauthorized writes are constrained by file system permissions.
# Example WAF rule pattern to block absolute path indicators in upload requests
# (adapt to your WAF syntax; verify against legitimate Tableau traffic before enforcing)
SecRule REQUEST_URI "@contains /flow" "chain,deny,status:403,id:1002601"
SecRule ARGS|REQUEST_HEADERS "@rx (^|[\"'=])(/[A-Za-z]|[A-Za-z]:\\\\)" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
