Eight critical security vulnerabilities disclosed on June 26, 2025, have exposed Tableau Server installations worldwide to remote code execution attacks, unauthorized data access, and complete system compromises. The flaws, assigned CVE identifiers CVE-2025-52446, CVE-2025-52447, CVE-2025-52448, CVE-2025-52449, and CVE-2025-26494, affect all Tableau Server versions prior to 2025.1.3, 2024.2.12, and 2023.3.19 across both Windows and Linux deployments.
Security researchers have identified multiple attack vectors within these vulnerabilities, including remote code execution capabilities that allow attackers to run arbitrary code on target servers without authentication. Server-side request forgery flaws allow unauthorized access to internal services, while authorization bypass vulnerabilities facilitate privilege escalation through user-controlled keys.
CVE-2025-52449 particularly permits unrestricted file uploads, creating pathways for malware deployment and persistent server compromise. The Common Vulnerability Scoring System rates these flaws between 8.0 and 8.5 out of 10, indicating severe security risks. Attackers can manipulate tab-doc API modules, set-initial-sql tabdoc command modules, and validate-initial-sql API functions to circumvent security controls entirely.
Unrestricted file uploads enable malware deployment while API manipulation completely bypasses security controls, creating severe compromise pathways rated up to 8.5 severity.
These exploitation methods pose direct threats to production database clusters, potentially resulting in complete system breaches, data theft, and service disruptions. Salesforce has confirmed that Tableau Desktop and Mobile applications remain unaffected, limiting exposure to server deployments exclusively. CVE-2025-52453 enables Resource Location Spoofing attacks that expose organizations to significant data exfiltration risks.
Organizations utilizing Trino drivers face additional complexity, requiring updates to both server software and driver components for thorough protection. Legacy installations outside supported maintenance releases continue facing prolonged vulnerability exposure because of discontinued security updates. Enterprises in finance, healthcare, and government sectors face heightened risks due to the nature of sensitive data processed through these systems.
The cybersecurity implications extend beyond immediate technical risks, as successful exploits can establish silent, persistent compromises that evade traditional detection methods. Attackers may achieve root access privileges, manipulate databases, or deploy ransomware through unrestricted file upload capabilities. Path traversal vulnerabilities compound these risks by allowing file system manipulation outside intended directories.
Salesforce has issued emergency patching recommendations, emphasizing immediate deployment of maintenance releases containing improved input validation, better authorization mechanisms, and stricter file upload restrictions. The absence of official compromise indicators complicates detection efforts, requiring organizations to implement thorough activity monitoring while prioritizing rapid patch deployment across affected infrastructure.
