CVE-2025-26497 Overview
CVE-2025-26497 is an Unrestricted Upload of File with Dangerous Type vulnerability [CWE-434] in Salesforce Tableau Server on Windows and Linux. The flaw resides in the Flow Editor modules and allows absolute path traversal. Attackers can upload files with dangerous types to locations outside the intended directory structure. The vulnerability affects Tableau Server versions before 2025.1.3, before 2024.2.12, and before 2023.3.19. It is exploitable over the network without authentication or user interaction.
Critical Impact
Network-accessible attackers can upload arbitrary files to absolute paths on the Tableau Server host, leading to confidentiality, integrity, and availability impact across the deployment.
Affected Products
- Tableau Server on Windows (versions before 2025.1.3, 2024.2.12, and 2023.3.19)
- Tableau Server on Linux (versions before 2025.1.3, 2024.2.12, and 2023.3.19)
- Flow Editor modules within affected Tableau Server releases
Discovery Timeline
- 2025-08-22 - CVE-2025-26497 published to NVD
- 2025-11-06 - Last updated in NVD database
Technical Details for CVE-2025-26497
Vulnerability Analysis
The vulnerability exists in the Flow Editor modules of Tableau Server. The application accepts file uploads without adequately validating file type or destination path. An attacker can supply an absolute path during the upload operation, bypassing intended directory restrictions. This combination of unrestricted file type and absolute path traversal allows attacker-controlled content to be written to arbitrary filesystem locations accessible by the Tableau Server process.
Because the attack vector is network-based and requires no privileges or user interaction, any reachable Tableau Server instance running an affected version is exposed. The Flow Editor handles data preparation workflows, making it an integral component of typical Tableau Server deployments.
Root Cause
The root cause is insufficient input validation in the file upload handlers within the Flow Editor modules. The server does not enforce restrictions on file extensions or MIME types and does not normalize destination paths to a fixed upload directory. Absolute paths submitted by the client are honored, enabling writes outside the intended sandbox.
Attack Vector
An unauthenticated remote attacker sends a crafted upload request to the Flow Editor endpoint. The request specifies a dangerous file type and an absolute destination path. The server writes the file to the attacker-chosen location. Depending on the target path and process privileges, this can be leveraged to overwrite configuration files, plant executable content in monitored directories, or stage further attacks against the host.
No verified public proof-of-concept exploit is currently available. Refer to the Salesforce Support Article for vendor-provided technical details.
Detection Methods for CVE-2025-26497
Indicators of Compromise
- Unexpected files written outside standard Tableau Server data directories, particularly in system paths or user home directories
- HTTP requests to Flow Editor upload endpoints containing absolute path patterns (e.g., C:\ on Windows or / prefixed paths on Linux)
- New or modified executable, script, or configuration files in directories writable by the Tableau Server service account
Detection Strategies
- Inspect Tableau Server access logs for upload requests with anomalous filename or path parameters referencing absolute paths
- Monitor the Tableau Server process for file write operations outside its expected working directories
- Alert on creation of files with dangerous extensions (e.g., .jsp, .exe, .dll, .sh, .bat) by the Tableau Server service
Monitoring Recommendations
- Enable verbose logging on Flow Editor endpoints and forward logs to a centralized analytics platform for correlation
- Deploy file integrity monitoring on Tableau Server installation directories and OS-level sensitive paths
- Track outbound network connections from the Tableau Server host to identify post-exploitation activity
How to Mitigate CVE-2025-26497
Immediate Actions Required
- Upgrade Tableau Server to version 2025.1.3, 2024.2.12, or 2023.3.19 or later, matching your maintenance branch
- Inventory all Tableau Server deployments on Windows and Linux to confirm patch status
- Restrict network access to Tableau Server management and Flow Editor endpoints to trusted networks only
- Review server filesystem and logs for indicators of prior exploitation
Patch Information
Salesforce has released fixed versions of Tableau Server addressing this vulnerability. Apply version 2025.1.3, 2024.2.12, or 2023.3.19 (or later) according to your deployment branch. Patch details are available in the Salesforce Support Article.
Workarounds
- Place Tableau Server behind a reverse proxy or web application firewall that inspects upload requests and blocks absolute path parameters
- Restrict the Tableau Server service account to the minimum filesystem permissions required for operation
- Disable or restrict access to Flow Editor functionality if it is not required in your environment until patching is complete
# Verify Tableau Server version on Linux
tsm version
# Example WAF rule concept: block upload requests containing absolute paths
# (adapt to your WAF syntax)
# Deny requests where body parameter matches: ^([A-Za-z]:\\|/).*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
