Overview
A severe type confusion vulnerability in Tableau’s file-upload engine enables local code inclusion — a nightmare for any BI platform. Immediate patching required. CyberDudeBivash recommends lockdown uploads, enhance logging, and urgent rollout of Salesforce’s July 2025 patch across all enterprise servers.
CVE-2025-26496, rated CVSS 9.6 (Critical), is a Type Confusion vulnerability in Tableau Server and Desktop file-upload modules that allows Local Code Inclusion (LCI) — in layman's terms, this means an attacker uploading a malformed file could execute arbitrary code on the server. Cyber Security News+10Daily CyberSecurity+10NVD+10
Affects versions prior to:
-
2025.1.3
-
2024.2.12
-
2023.3.19 cvedetails.com+8Daily CyberSecurity+8Cyber Security News+8
Attack Context:
-
Platforms impacted: Windows & Linux
-
Root cause: mishandling of resource types (CWE-843) leading to higher-level logic confusion during file processing GBHackers+8zeropath.com+8Feedly+8
Technical Deep Dive: What’s Going On Under the Hood
1. What Is Type Confusion?
Type confusion happens when a program treats a piece of data as a different type than intended — e.g., an object initialized as Type A is later accessed as Type B. This mismatch can corrupt memory or alter logic flow, allowing exploitation. In this case, malcrafted file uploads cause unexpected code paths and inclusion of attacker-controlled code. zeropath.com+1
2. Attack Vector:
Local but highly dangerous — an authenticated or sufficiently trusted user (or compromised token) uploads a payload that triggers the confusion. No user interaction is needed; the exploit only requires upload capability. NVD+7cvedetails.com+7Cyber Security News+7
3. Possible Impact
-
Full remote/local code execution with system-level implications
-
Access to sensitive data, persistent backdoors, lateral movement
-
Potential quick pivot to ransomware or data exfiltration chains
CVSS Snapshot
-
CVSS v3.1 (NVD): 9.3 — Local attack vector, low complexity, no privileges/user interaction required incibe.es+3cvedetails.com+3Cyber Security News+3incibe.es+3Tenable®+3Feedly+3
-
Alternative contextual scoring (adjacent network): 9.6 — reflects higher exposure models cvedetails.com
Affected Products & Patching
Tableau Server & Desktop — must upgrade to:
-
2025.1.3+, or
-
2024.2.12+, or
-
2023.3.19+ Cyber Security News+8Daily CyberSecurity+8zeropath.com+8
Salesforce addressed this in the July 22, 2025 Maintenance Release Cyber Kendra+3Daily CyberSecurity+3Cyber Security News+3
CyberDudeBivash Defensive Playbook
| Layer | Defense Strategy |
|---|---|
| Patch Management | Apply maintenance release NOW across all Tableau deployments. |
| Upload Hygiene | Restrict upload access, enforce file type whitelists, and validate extensions. |
| WAF & Endpoint Controls | Block anomalous file patterns and monitor for type confusion behaviors. |
| Logging & Alerts | Capture uploads, parsing errors, and unexpected execution environments. |
| Post-Patch Audit | Re-scan your enterprise with vulnerability scanners (Qualys, Tenable, etc.) to confirm remediation. |
| Hardening | Run Tableau with least privilege, enable container sandboxing, and segregate document processing environments. |
Why This Matters — Real Risk, Preemptive Solutions
In modern enterprise stack where Tableau is integrated deeply into BI and data workflows, a flaw allowing code injection via file uploads is unacceptable. This isn't about low-risk components — it’s a deep-control plane on the enterprise’s analytics backbone.
Threat actors could:
-
Inject backdoors via report files
-
Compromise the reporting layer to pipeline malicious actions
-
Bypass directory restrictions and manipulate other enterprise assets