Type Confusion Vulnerability in Salesforce Tableau Server and Desktop
CVE-2025-26496

9.3CRITICAL

Key Information:

Vendor: Salesforce
Status: Tableau Server, Tableau Desktop
Vendor: CVE Published:; 22 August 2025

What is CVE-2025-26496?

CVE-2025-26496 is a type confusion vulnerability present in the Salesforce Tableau Server and Tableau Desktop applications. This vulnerability arises from the improper handling of resource access, specifically due to type mismatches that may lead to local code inclusion. Tableau, a data visualization and business intelligence tool widely used by organizations for analyzing and presenting data, can be severely impacted if this vulnerability is exploited. A successful attack on this vulnerability may allow unauthorized users to execute arbitrary code within the affected systems, leading to a compromise of sensitive data and operational capabilities.

Tableau Server and Desktop were found to be vulnerable before certain specified versions were released, emphasizing the critical need for organizations to maintain updated software to ensure the integrity and security of their data analytics environments. The potential for local code inclusion makes this vulnerability particularly concerning as it can facilitate extensive risks if an adversary gains access to the system.

Potential impact of CVE-2025-26496

Unauthorized Code Execution: The vulnerability could allow attackers to execute arbitrary code within the Tableau environment, potentially gaining full control over the affected systems. This access could lead to manipulation of data, introduction of malware, or further escalation of privileges.
Data Breach Risks: With the capability to run unauthorized code, there is a significant risk of exposure to sensitive organizational data. Attackers could exploit this vulnerability to extract, alter, or delete critical business intelligence datasets that rely on Tableau for analytics and reporting.
Operational Disruption: The exploitation of CVE-2025-26496 could result in significant disruptions to business operations. Compromised systems may lead to downtime, affecting data availability for decision-making processes, and damaging the overall productivity of the organization.

Affected Version(s)

Tableau Server, Tableau Desktop Windows 0 < 2025.1.3

Tableau Server, Tableau Desktop Windows 0 < 2024.2.12

Tableau Server, Tableau Desktop Windows 0 < 2023.3.19

References

https://help.salesforce.com/s/articleView?id=005132575&ty...

https://www.cve.org/CVERecord?id=CVE-2022-1364

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 22, 2025
Vulnerability Reserved
Feb 11, 2025