Introduction
Local code inclusion in enterprise analytics platforms can lead to full system compromise and unauthorized access to sensitive business data. Salesforce Tableau, a widely adopted business intelligence solution used by organizations worldwide, recently faced a critical vulnerability in its file upload modules that could allow attackers to execute arbitrary code.
About Salesforce Tableau: Tableau is a leading business intelligence and data visualization platform, acquired by Salesforce in 2019. It is used by thousands of enterprises globally for analytics and reporting. Its integration with Salesforce's cloud ecosystem makes it a central component in many organizations' data strategies.
Technical Information
CVE-2025-26496 is a type confusion vulnerability (CWE-843) in the file upload modules of Tableau Server and Tableau Desktop. Type confusion occurs when a resource is allocated or initialized as one type but later accessed as another, causing logical errors and potentially enabling memory corruption or code execution. In this case, improper handling of uploaded files allows attackers to exploit type mismatches, resulting in local code inclusion.
The vulnerability affects both Windows and Linux versions, indicating that the flaw exists in core application logic rather than platform-specific code. Attackers with file upload access can craft files that trigger the type confusion, leading to execution of arbitrary code within the Tableau application context. No public code snippets or proof of concept are available for this vulnerability.
Affected Systems and Versions
- Tableau Server (Windows and Linux): versions before 2025.1.3
- Tableau Server (Windows and Linux): versions before 2024.2.12
- Tableau Server (Windows and Linux): versions before 2023.3.19
- Tableau Desktop (Windows and Linux): versions before 2025.1.3
- Tableau Desktop (Windows and Linux): versions before 2024.2.12
- Tableau Desktop (Windows and Linux): versions before 2023.3.19
Any deployment running these versions is vulnerable if file upload functionality is exposed.
Vendor Security History
In 2025, Salesforce Tableau products were affected by multiple critical vulnerabilities, including file upload flaws (CVE-2025-52449), authorization bypasses (CVE-2025-52446, CVE-2025-52447, CVE-2025-52448), and path traversal issues (CVE-2025-52452). Salesforce typically issues coordinated advisories and patches for such vulnerabilities. The repeated discovery of severe flaws in Tableau's file handling and input validation highlights ongoing security challenges in these areas.