A critical type confusion vulnerability has been identified in Salesforce Tableau Server and Tableau Desktop, assigned CVE-2025-26496 with a CVSS score of 9.6. This flaw exists within the file upload modules and can be exploited by an attacker to include and execute arbitrary code on the affected system. Successful exploitation could lead to a complete compromise of the Tableau environment, resulting in data theft, system takeover, and further network intrusion.

This vulnerability is a 'Type Confusion' (CWE-843) flaw located in the file upload processing modules of Tableau Server and Tableau Desktop. An unauthenticated remote attacker can exploit this by crafting a malicious file and uploading it to the server. When the application processes this file, it incorrectly interprets the object's type, leading to a memory corruption state that can be leveraged to achieve arbitrary code execution with the permissions of the Tableau service account.

The vulnerability is rated as critical severity with a CVSS score of 9.6, posing a significant risk to the organization. A successful attack could lead to a complete compromise of the Tableau Server, granting the attacker full control over the application and its underlying operating system. The potential consequences include the exfiltration of sensitive business intelligence data, dashboards, and connected data sources; manipulation of critical business reports; and using the compromised server as a foothold to launch further attacks against the internal network. This could result in severe financial loss, reputational damage, and regulatory penalties.

Immediate Action: Immediately apply the security updates provided by Salesforce for all affected Tableau Server and Tableau Desktop installations. Prioritize patching for internet-facing Tableau Server instances. After patching, review access and application logs for any unusual file upload activity or errors that may indicate a past or ongoing exploitation attempt.

Proactive Monitoring: Implement enhanced monitoring on Tableau servers. Look for indicators of compromise such as unexpected child processes spawned by Tableau services (e.g., cmd.exe, powershell.exe, /bin/sh), unusual network connections originating from the server, and logs showing memory corruption errors or repeated crashes in the file processing service. Monitor network traffic for anomalous file uploads.

Compensating Controls: If immediate patching is not feasible, apply the following compensating controls:

• Restrict access to the Tableau Server from the internet or limit it to trusted IP addresses only.
• Utilize a Web Application Firewall (WAF) with rules designed to inspect and block malicious or malformed file uploads.
• Ensure Endpoint Detection and Response (EDR) solutions are deployed and properly configured on Tableau servers to detect and block post-exploitation activity.

Public Exploit Available: false

This vulnerability represents a critical risk to the confidentiality, integrity, and availability of your business data and infrastructure. It is strongly recommended that organizations treat this as a top-priority vulnerability and apply the vendor-supplied patches to all affected Tableau products immediately. Due to the high likelihood of future exploitation, all internet-facing Tableau instances should be considered high-value targets. Organizations must apply the patch and proactively hunt for any signs of compromise within their environment.