Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-52451

CVE-2025-52451: Tableau Server Path Traversal Flaw

CVE-2025-52451 is a path traversal vulnerability in Tableau Server affecting the tabdoc API module. Attackers can exploit this flaw to access unauthorized files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-52451 Overview

CVE-2025-52451 is an improper input validation vulnerability [CWE-20] in Salesforce Tableau Server affecting the tabdoc api - create-data-source-from-file-upload modules on Windows and Linux. The flaw allows absolute path traversal, enabling attackers to reference arbitrary file paths during data source creation operations. Affected versions include Tableau Server releases prior to 2025.1.3, 2024.2.12, and 2023.3.19. The vulnerability carries a CVSS 3.1 base score of 8.5 with adjacent network attack vector and changed scope, indicating cross-trust-boundary impact.

Critical Impact

Successful exploitation allows an adjacent-network attacker to traverse absolute filesystem paths through the Tableau tabdoc data source upload API, leading to high confidentiality and integrity impact on the host system.

Affected Products

  • Tableau Server versions prior to 2025.1.3
  • Tableau Server versions prior to 2024.2.12
  • Tableau Server versions prior to 2023.3.19 (Windows and Linux)

Discovery Timeline

  • 2025-08-22 - CVE-2025-52451 published to NVD
  • 2025-10-30 - Last updated in NVD database

Technical Details for CVE-2025-52451

Vulnerability Analysis

The vulnerability resides in the Tableau Server tabdoc API, specifically within the create-data-source-from-file-upload modules. These modules accept file path parameters as part of data source creation workflows. The API fails to validate or canonicalize submitted path values, allowing absolute filesystem paths to bypass intended directory restrictions.

An attacker on an adjacent network with the ability to interact with the Tableau Server endpoint can craft requests that reference files outside the intended upload directory. Because the CVSS scope is marked changed, exploitation can affect resources beyond the vulnerable component, including underlying host files on Windows or Linux deployments.

The issue is classified under [CWE-20] Improper Input Validation. User interaction is required, suggesting an authenticated or privileged user must trigger the malformed request as part of the attack chain.

Root Cause

The root cause is the absence of sufficient input validation on file path parameters submitted to the create-data-source-from-file-upload endpoints. The handler accepts absolute paths without normalizing or restricting them to the designated upload directory. This permits path traversal beyond the application's intended boundary.

Attack Vector

Exploitation requires adjacent network access to the Tableau Server instance and user interaction. An attacker submits a crafted request to the tabdoc API containing an absolute path that references arbitrary files on the server filesystem. The server processes the path without restriction, exposing file contents or enabling integrity impact during data source creation.

No public proof-of-concept exploit is available, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog. Refer to the Salesforce Help Article for vendor technical details.

Detection Methods for CVE-2025-52451

Indicators of Compromise

  • Unexpected HTTP requests to tabdoc API endpoints, particularly create-data-source-from-file-upload, containing absolute path syntax such as /etc/, C:\, or \\ sequences in parameters
  • Tableau Server logs showing data source creation events referencing files outside standard upload directories
  • Anomalous file access events on the Tableau Server host originating from the Tableau service account

Detection Strategies

  • Monitor Tableau Server access logs for tabdoc API calls containing path separators or absolute path prefixes in file upload parameters
  • Correlate Tableau application events with host-level file access telemetry to identify cross-boundary file reads
  • Apply web application firewall rules that inspect request bodies sent to the Tableau data source creation endpoints

Monitoring Recommendations

  • Enable verbose audit logging on Tableau Server and forward events to a centralized SIEM for correlation
  • Track authentication events that precede data source creation requests to identify the originating user accounts
  • Alert on Tableau service process accessing files outside expected directories such as data extracts and configuration paths

How to Mitigate CVE-2025-52451

Immediate Actions Required

  • Upgrade Tableau Server to version 2025.1.3, 2024.2.12, or 2023.3.19 or later depending on the deployed release branch
  • Restrict network access to Tableau Server administrative and API endpoints to trusted management networks
  • Review recent data source creation activity for evidence of suspicious absolute path usage

Patch Information

Salesforce has released fixed versions of Tableau Server addressing the path traversal flaw. Administrators should reference the Salesforce Help Article for the official patch advisory and upgrade procedures. Apply the appropriate maintenance release for the deployed branch: 2025.1.3, 2024.2.12, or 2023.3.19.

Workarounds

  • Limit user permissions for data source creation to a minimum set of trusted accounts until patching is complete
  • Place Tableau Server behind a reverse proxy or web application firewall that filters absolute path patterns in API request bodies
  • Apply operating system level access controls so that the Tableau service account cannot read sensitive files outside required directories
bash
# Example: restrict Tableau service account file access on Linux
# Replace tableau_user with the actual service account name
chown -R tableau_user:tableau_group /var/opt/tableau/tableau_server
chmod -R o-rwx /var/opt/tableau/tableau_server
# Verify upgrade version after patching
tsm version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne