How ZeroPath Works
Back to Blog

Salesforce Tableau Server CVE-2025-52448: Brief Summary of Authorization Bypass via User-Controlled Key

A brief summary of CVE-2025-52448, an authorization bypass vulnerability in Salesforce Tableau Server affecting validate-initial-sql API modules. This post covers affected versions, technical details, and vendor security history based on available public information.
CVE Analysis

6 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-07-25

Salesforce Tableau Server CVE-2025-52448: Brief Summary of Authorization Bypass via User-Controlled Key
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Unauthorized access to production databases can have immediate consequences for data integrity and confidentiality. CVE-2025-52448 highlights a critical flaw in the way Salesforce Tableau Server handles user-controlled keys within its validate-initial-sql API modules, potentially allowing attackers to bypass authorization controls and access sensitive backend data.

About the involved parties:

Tableau, now owned by Salesforce, is a leading analytics and business intelligence platform with a global customer base spanning enterprises, governments, and research institutions. Tableau Server is the self-hosted version, widely deployed for on-premises analytics and data visualization. Salesforce, as a cloud and SaaS leader, supports millions of users and thousands of organizations worldwide, making vulnerabilities in its platforms highly impactful across industries.

Technical Information

CVE-2025-52448 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The issue resides in Tableau Server's validate-initial-sql API modules on both Windows and Linux platforms. Attackers can manipulate user-controlled parameters or keys passed to the validate-initial-sql endpoint. If the API does not properly validate these keys, an attacker may be able to bypass authorization checks and gain direct access to the production database cluster.

The root cause is insufficient validation of user-supplied keys or parameters within the API logic. This allows unauthorized users to access sensitive data or backend functions intended only for authenticated or privileged users. No public code snippets or exploit samples are available for this vulnerability.

Affected Systems and Versions

  • Tableau Server on Windows and Linux
  • Affected versions:
    • Before 2025.1.3
    • Before 2024.2.12
    • Before 2023.3.19
  • Vulnerable component: validate-initial-sql API modules

Vendor Security History

Salesforce has previously addressed several security issues in Tableau Server. Notably, CVE-2025-26494 involved a server-side request forgery (SSRF) vulnerability that allowed authentication bypass. Other recent CVEs have targeted configuration and access control weaknesses in Salesforce and Tableau products. Salesforce typically issues prompt advisories and patches for critical vulnerabilities, though some issues have required multiple updates to fully resolve.

References

Detect & fix
what others miss

Get startedBook a demo