A high-severity vulnerability has been discovered in multiple Tableau products, specifically within the Tableau Server's API for file uploads. This flaw, identified as an Improper Input Validation, allows a remote attacker to perform a path traversal attack, enabling them to access, read, or potentially write files outside of the intended directories on the server. Successful exploitation could lead to a significant data breach, disclosure of sensitive configuration files, or a complete compromise of the underlying server.

The vulnerability exists within the create-data-source-from-file-upload module of the tabdoc API in Tableau Server running on both Windows and Linux. Due to improper input validation, the application fails to sanitize user-supplied input for path traversal sequences (e.g., ../) or absolute file paths. An authenticated remote attacker can exploit this by crafting a malicious file upload request containing a specially-formed file path, tricking the server into accessing files or directories anywhere on the file system with the permissions of the Tableau Server service account. This could allow an attacker to read sensitive system files (e.g., /etc/passwd) or write malicious files (e.g., a web shell) to an arbitrary location.

This vulnerability is rated as High severity with a CVSS score of 8.5, posing a significant risk to the organization. Successful exploitation could lead to a severe data breach through unauthorized access to sensitive business intelligence data, database credentials stored in configuration files, or other proprietary information on the server. Furthermore, if an attacker can write files, they could achieve remote code execution by uploading a web shell, leading to a full system compromise. The potential consequences include financial loss, regulatory fines for non-compliance (e.g., GDPR, CCPA), reputational damage, and disruption of business operations reliant on the Tableau platform.

Immediate Action: The primary and most effective remediation is to apply the security updates provided by the vendor immediately. Organizations should prioritize the deployment of these patches across all affected Tableau Server instances. Following the update, review Tableau Server and web server access logs for any suspicious file upload attempts that occurred prior to patching.

Proactive Monitoring: Security teams should actively monitor for signs of exploitation. This includes inspecting Tableau Server and web server logs for requests to the tabdoc API endpoint that contain path traversal characters (../, ..\) or absolute file paths. Implement File Integrity Monitoring (FIM) on the server to alert on unauthorized changes to critical system files or new files being created in sensitive directories.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Use a Web Application Firewall (WAF) with rules specifically designed to detect and block path traversal attacks against the Tableau Server.
• Restrict network access to the Tableau Server management interface and API endpoints to only trusted IP addresses.
• Ensure the Tableau Server service account runs with the principle of least privilege, limiting its permissions to read or write to non-essential directories on the file system.

Public Exploit Available: false

Given the high CVSS score of 8.5 and the potential for complete system compromise, immediate patching of CVE-2025-52451 is strongly recommended. All organizations using the affected Tableau Server products should treat this vulnerability as a critical priority. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion. If patching is delayed, the compensating controls outlined above must be implemented without exception to mitigate the risk of a data breach or server compromise.