CVE-2025-26496: 
Tableau Server vulnerability analysis and mitigation

CVE-2025-26496 is a Type Confusion vulnerability discovered in Salesforce Tableau Server and Tableau Desktop's File Upload modules on Windows and Linux platforms. The vulnerability was disclosed on August 22, 2025, affecting multiple versions of Tableau Server and Tableau Desktop: versions before 2025.1.3, 2024.2.12, and 2023.3.19 (NVD, SecurityOnline).

The vulnerability is classified as an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that allows Local Code Inclusion. It has received a Critical CVSS v3.1 base score of 9.3, with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The vulnerability is tracked under CWE-843 (Access of Resource Using Incompatible Type) (NVD, AttackerKB).

The vulnerability has a Critical severity rating with high impacts on confidentiality, integrity, and availability. The Changed scope indicates that the vulnerability can affect resources beyond its restricted scope. The attack can lead to Local Code Inclusion, potentially allowing attackers to execute malicious code in the context of the affected application (SecurityOnline).

Salesforce has released patches across supported versions. Users are strongly advised to upgrade to Tableau Server versions 2025.1.4 or later, 2024.2.13 or later, or 2023.3.20 or later. The patches are available through the Tableau Server Maintenance Release page (SecurityOnline).