BURSTA critical security flaw in Tableau Server could enable attackers to upload and execute malicious files, potentially leading to complete system compromise.
The vulnerability, tracked as CVE-2025-26496 with a CVSS score of 9.6, affects multiple versions of both Tableau Server and Tableau Desktop across Windows and Linux platforms.
Key Takeaways
1. Tableau Server allows malicious file uploads and code execution through type confusion attacks.
2. Five vulnerabilities enable file upload bypass and path traversal attacks.
3. Upgrade all Tableau Server versions
Tableau Server File Upload Vulnerabilities
Salesforce Security identified five distinct vulnerabilities during a proactive security assessment, with fixes included in the July 22, 2025 Maintenance Release.
The most severe vulnerability, CVE-2025-26496, involves Access of Resource Using Incompatible Type (‘Type Confusion’) in the File Upload modules, allowing Local Code Inclusion attacks.
The vulnerability affects Tableau Server versions before 2025.1.4, before 2024.2.13, and before 2023.3.20.
This type confusion flaw occurs when the application incorrectly handles data types during file processing, potentially allowing attackers to bypass security controls and execute arbitrary code on the target system.
Additional critical vulnerabilities include CVE-2025-26497 (CVSS 7.7) and CVE-2025-26498 (CVSS 7.7), both involving Unrestricted Upload of File with Dangerous Type affecting the Flow Editor and establish-connection-no-undo modules respectively.
These flaws enable Absolute Path Traversal attacks, allowing attackers to write files to arbitrary locations on the server filesystem.
Path Traversal Vulnerabilities
Two path traversal vulnerabilities, CVE-2025-52450 and CVE-2025-52451, both scoring 8.5 on CVSS, affect the tabdoc API’s create-data-source-from-file-upload modules.
CVE-2025-52450 represents an Improper Limitation of a Pathname to a Restricted Directory vulnerability, while CVE-2025-52451 involves Improper Input Validation.
These vulnerabilities allow attackers to perform directory traversal attacks using malicious payloads to access sensitive system files outside the intended upload directory.
The improper input validation enables attackers to bypass path sanitization mechanisms through techniques like double encoding (%252e%252e%252f) or Unicode normalization attacks.
The affected modules process user-supplied file paths without adequate validation, potentially allowing attackers to overwrite critical system files, access configuration data, or plant webshells for persistent access.
In enterprise environments, these vulnerabilities could facilitate lateral movement and privilege escalation attacks.
| CVE ID | Vulnerability Type | CVSS 3.1 Score | Severity |
| CVE-2025-26496 | Access of Resource Using Incompatible Type (‘Type Confusion’) | 9.6 | Critical |
| CVE-2025-26497 | Unrestricted Upload of File with Dangerous Type | 7.7 | High |
| CVE-2025-26498 | Unrestricted Upload of File with Dangerous Type | 7.7 | High |
| CVE-2025-52450 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 8.5 | High |
| CVE-2025-52451 | Improper Input Validation | 8.5 | High |
Immediate Patching Required
Organizations running affected Tableau Server versions must immediately upgrade to the latest supported maintenance release.
The vulnerability disclosure follows responsible disclosure practices, with Salesforce providing patches before public disclosure.
System administrators should prioritize patching due to the critical CVSS scores and the potential for remote code execution.
The combination of file upload and path traversal vulnerabilities creates a dangerous attack vector that could lead to complete server compromise, data exfiltration, and deployment of ransomware or other malicious payloads.
Security teams should also review access logs for suspicious file upload activities, implement Web Application Firewall (WAF) rules to detect path traversal attempts, and conduct post-patch security assessments to ensure no compromise occurred prior to remediation.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post Critical Tableau Server Vulnerability Let Attackers Upload Malicious Files appeared first on Cyber Security News.