cbcvebase.

Tableau Server vulnerabilities

22 known vulnerabilities affecting tableau/tableau_server.

Total CVEs
22
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL3HIGH15MEDIUM4

Vulnerabilities

Page 1 of 2
CVE-2019-15637P2HIGHCVSS 8.1ExploitedPoC≥ 10.5, ≤ 10.5.18≥ 2018.1, ≤ 2018.1.15+7 more2019-08-26
CVE-2019-15637 [HIGH] CWE-611 CVE-2019-15637: Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. This affects Tableau Server, Tableau Desktop, Tableau Reader, and Tableau Public Desktop.
nvd
CVE-2022-22128P2CRITICALCVSS 9.8≥ 2020.4, ≤ 2020.4.20≥ 2021.1, ≤ 2021.1.17+5 more2022-10-17
CVE-2022-22128 [CRITICAL] CWE-22 CVE-2022-22128: Tableau discovered a path traversal vulnerability affecting Tableau Server Administration Agent’s in Tableau discovered a path traversal vulnerability affecting Tableau Server Administration Agent’s internal file transfer service that could allow remote code execution.Tableau only supports product versions for 24 months after release. Older versions have reached their End of Life and are no longer supported. They are also not assessed for potentia
nvd
CVE-2020-6939P3CRITICALCVSS 9.8≥ 2018.2, ≤ 2018.2.27≥ 2018.3, ≤ 2018.3.24+16 more2020-11-23
CVE-2020-6939 [CRITICAL] CVE-2020-6939: Tableau Server installations configured with Site-Specific SAML that allows the APIs to be used by u Tableau Server installations configured with Site-Specific SAML that allows the APIs to be used by unauthenticated users. If exploited, this could allow a malicious user to configure Site-Specific SAML settings and could lead to account takeover for users of that site. Tableau Server versions affected on both Windows and Linux are: 2018.2 through 2018.2.27,
nvd
CVE-2025-52452P3HIGHCVSS 8.5fixed in 2023.3.19≥ 2024.2, < 2024.2.12+1 more2025-07-25
CVE-2025-52452 [HIGH] CWE-22 CVE-2025-52452: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Sale Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salesforce Tableau Server on Windows, Linux (tabdoc api - duplicate-data-source modules) allows Absolute Path Traversal. This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.
nvd
CVE-2025-52448P3HIGHCVSS 8.1fixed in 2023.3.19≥ 2024.2, < 2024.2.12+1 more2025-07-25
CVE-2025-52448 [HIGH] CWE-639 CVE-2025-52448: Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windo Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (validate-initial-sql api modules) allows Interface Manipulation (data access to the production database cluster). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.
nvd
CVE-2025-52447P3HIGHCVSS 8.1fixed in 2023.3.19≥ 2024.2, < 2024.2.12+1 more2025-07-25
CVE-2025-52447 [HIGH] CWE-639 CVE-2025-52447: Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windo Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (set-initial-sql tabdoc command modules) allows Interface Manipulation (data access to the production database cluster). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.
nvd
CVE-2025-26496P3CRITICALCVSS 9.3fixed in 2023.3.19≥ 2024.2, < 2024.2.12+1 more2025-08-22
CVE-2025-26496 [CRITICAL] CWE-843 CVE-2025-26496: Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Salesforce Tableau Se Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Salesforce Tableau Server, Tableau Desktop on Windows, Linux (File Upload modules) allows Local Code Inclusion.This issue affects Tableau Server, Tableau Desktop: before 2025.1.3, before 2024.2.12, before 2023.3.19.
nvd
CVE-2025-52454P3HIGHCVSS 8.2fixed in 2023.3.19≥ 2024.2, < 2024.2.12+1 more2025-07-25
CVE-2025-52454 [HIGH] CWE-918 CVE-2025-52454: Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (Ama Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (Amazon S3 Connector modules) allows Resource Location Spoofing. This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.
nvd
CVE-2025-52453P3HIGHCVSS 8.2fixed in 2023.3.19≥ 2024.2, < 2024.2.12+1 more2025-07-25
CVE-2025-52453 [HIGH] CWE-918 CVE-2025-52453: Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (Flo Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (Flow Data Source modules) allows Resource Location Spoofing. This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.
nvd
CVE-2025-26497P3HIGHCVSS 7.3fixed in 2023.3.19≥ 2024.2, < 2024.2.12+1 more2025-08-22
CVE-2025-26497 [HIGH] CWE-434 CVE-2025-26497: Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Window Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (Flow Editor modules) allows Absolute Path Traversal.This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.
nvd
CVE-2025-26498P3HIGHCVSS 7.3fixed in 2023.3.19≥ 2024.2, < 2024.2.12+1 more2025-08-22
CVE-2025-26498 [HIGH] CWE-434 CVE-2025-26498: Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Window Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (establish-connection-no-undo modules) allows Absolute Path Traversal.This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.
nvd
CVE-2025-26494P3HIGHCVSS 7.7≥ 2023.3, ≤ 2023.3.52025-02-11
CVE-2025-26494 [HIGH] CWE-918 CVE-2025-26494: Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server allows Authentication Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server allows Authentication Bypass.This issue affects Tableau Server: from 2023.3 through 2023.3.5.
nvd
CVE-2025-52449P3HIGHCVSS 8.5fixed in 2023.3.19≥ 2024.2, < 2024.2.12+1 more2025-07-25
CVE-2025-52449 [HIGH] CWE-434 CVE-2025-52449: Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Window Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (Extensible Protocol Service modules) allows Alternative Execution Due to Deceptive Filenames (RCE). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.
nvd
CVE-2025-52451P3HIGHCVSS 8.5fixed in 2023.3.19≥ 2024.2, < 2024.2.12+1 more2025-08-22
CVE-2025-52451 [HIGH] CWE-20 CVE-2025-52451: Improper Input Validation vulnerability in Salesforce Tableau Server on Windows, Linux (tabdoc api - Improper Input Validation vulnerability in Salesforce Tableau Server on Windows, Linux (tabdoc api - create-data-source-from-file-upload modules) allows Absolute Path Traversal.This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.
nvd
CVE-2025-52446P3HIGHCVSS 8.0fixed in 2023.3.19≥ 2024.2, < 2024.2.12+1 more2025-07-25
CVE-2025-52446 [HIGH] CWE-639 CVE-2025-52446: Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windo Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (tab-doc api modules) allows Interface Manipulation (data access to the production database cluster).This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.
nvd
CVE-2022-22127P3HIGHCVSS 7.2≥ 2020.4, ≤ 2020.4.16≥ 2021.1, ≤ 2021.1.13+4 more2022-05-25
CVE-2022-22127 [HIGH] CVE-2022-22127: Tableau is aware of a broken access control vulnerability present in Tableau Server affecting Tablea Tableau is aware of a broken access control vulnerability present in Tableau Server affecting Tableau Server customers using Local Identity Store for managing users. The vulnerability allows a malicious site administrator to change passwords for users in different sites hosted on the same Tableau Server, resulting in the potential for unauthorized access to d
nvd
CVE-2025-52450P3MEDIUMCVSS 6.5fixed in 2023.3.19≥ 2024.2, < 2024.2.12+1 more2025-08-22
CVE-2025-52450 [MEDIUM] CWE-22 CVE-2025-52450: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Sale Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salesforce Tableau Server on Windows, Linux (abdoc api - create-data-source-from-file-upload modules) allows Absolute Path Traversal.This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.
nvd
CVE-2019-19719P3MEDIUMCVSS 6.1≥ 10.3, ≤ 2019.42019-12-11
CVE-2019-19719 [MEDIUM] CWE-79 CVE-2019-19719: Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
nvd
CVE-2025-26495P3HIGHCVSS 7.5≥ 2020.4, < 2020.4.19≥ 2021.1, < 2021.1.16+4 more2025-02-11
CVE-2025-26495 [HIGH] CWE-312 CVE-2025-26495: Cleartext Storage of Sensitive Information vulnerability in Salesforce Tableau Server can record the Cleartext Storage of Sensitive Information vulnerability in Salesforce Tableau Server can record the Personal Access Token (PAT) into logging repositories.This issue affects Tableau Server: before 2022.1.3, before 2021.4.8, before 2021.3.13, before 2021.2.14, before 2021.1.16, before 2020.4.19.
nvd
CVE-2020-6938P3HIGHCVSS 7.5≥ 2018.1, ≤ 2020.2v10.5+1 more2020-07-08
CVE-2020-6938 [HIGH] CWE-532 CVE-2020-6938: A sensitive information disclosure vulnerability in Tableau Server 10.5, 2018.x, 2019.x, 2020.x rele A sensitive information disclosure vulnerability in Tableau Server 10.5, 2018.x, 2019.x, 2020.x released before June 26, 2020, could allow access to sensitive information in log files.
nvd
Tableau Server vulnerabilities | cvebase