Introduction
Unauthorized access to production databases can have immediate consequences for data integrity and confidentiality. CVE-2025-52448 highlights a critical flaw in the way Salesforce Tableau Server handles user-controlled keys within its validate-initial-sql API modules, potentially allowing attackers to bypass authorization controls and access sensitive backend data.
About the involved parties:
Tableau, now owned by Salesforce, is a leading analytics and business intelligence platform with a global customer base spanning enterprises, governments, and research institutions. Tableau Server is the self-hosted version, widely deployed for on-premises analytics and data visualization. Salesforce, as a cloud and SaaS leader, supports millions of users and thousands of organizations worldwide, making vulnerabilities in its platforms highly impactful across industries.
Technical Information
CVE-2025-52448 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The issue resides in Tableau Server's validate-initial-sql API modules on both Windows and Linux platforms. Attackers can manipulate user-controlled parameters or keys passed to the validate-initial-sql endpoint. If the API does not properly validate these keys, an attacker may be able to bypass authorization checks and gain direct access to the production database cluster.
The root cause is insufficient validation of user-supplied keys or parameters within the API logic. This allows unauthorized users to access sensitive data or backend functions intended only for authenticated or privileged users. No public code snippets or exploit samples are available for this vulnerability.
Affected Systems and Versions
- Tableau Server on Windows and Linux
- Affected versions:
- Before 2025.1.3
- Before 2024.2.12
- Before 2023.3.19
- Vulnerable component: validate-initial-sql API modules
Vendor Security History
Salesforce has previously addressed several security issues in Tableau Server. Notably, CVE-2025-26494 involved a server-side request forgery (SSRF) vulnerability that allowed authentication bypass. Other recent CVEs have targeted configuration and access control weaknesses in Salesforce and Tableau products. Salesforce typically issues prompt advisories and patches for critical vulnerabilities, though some issues have required multiple updates to fully resolve.