Type Confusion Vulnerability in Salesforce Tableau Server and Desktop
CVE-2025-26496

9.6CRITICAL

Key Information:

Vendor: Salesforce
Status: Tableau Server, Tableau Desktop
Vendor: CVE Published:; 22 August 2025

What is CVE-2025-26496?

A Type Confusion vulnerability exists in Salesforce's Tableau Server and Tableau Desktop, which may lead to Local Code Inclusion. This flaw can be exploited due to improper resource access handling, particularly within the file upload modules available on both Windows and Linux platforms. Users of Tableau products prior to specified versions should take immediate action to mitigate associated risks and secure their environments.

Affected Version(s)

Tableau Server, Tableau Desktop Windows 0 < 2025.1.3

Tableau Server, Tableau Desktop Windows 0 < 2024.2.12

Tableau Server, Tableau Desktop Windows 0 < 2023.3.19

References

https://help.salesforce.com/s/articleView?id=005132575&ty...

https://www.cve.org/CVERecord?id=CVE-2022-1364

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 22, 2025
Vulnerability Reserved
Feb 11, 2025