CVE-2025-26498: 
Tableau Server vulnerability analysis and mitigation

An Unrestricted Upload of File with Dangerous Type vulnerability (CVE-2025-26498) was discovered in Salesforce Tableau Server's establish-connection-no-undo modules affecting both Windows and Linux platforms. The vulnerability was disclosed on August 22, 2025, and affects Tableau Server versions before 2025.1.3, before 2024.2.12, and before 2023.3.19 (NVD, SecurityOnline).

The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The flaw allows Absolute Path Traversal through dangerous file uploads in the establish-connection-no-undo modules. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD, GBHackers).

The vulnerability could allow attackers to perform Absolute Path Traversal attacks, potentially enabling them to write files to arbitrary locations on the server filesystem. This could lead to unauthorized access to sensitive system files and potential system compromise in enterprise environments where Tableau Server is integrated into reporting and analytics workflows (CyberSecurityNews, GBHackers).

Salesforce has released patches for the vulnerability in the July 22, 2025 maintenance release. Organizations are strongly advised to upgrade to Tableau Server versions 2025.1.3, 2024.2.12, or 2023.3.19 or later. The fixes are available through the Tableau Server Maintenance Release page (SecurityOnline).