CVE-2025-26496 is a critical security vulnerability classified as CWE-843 (Access of Resource Using Incompatible Type, or type confusion) found in Salesforce's Tableau Server and Tableau Desktop products on Windows and Linux operating systems. The flaw exists within the file upload modules of these products, where improper handling of resource types leads to type confusion. This vulnerability enables an attacker with local access to perform Local Code Inclusion (LCI), allowing arbitrary code execution within the context of the affected application. The vulnerability affects all versions prior to 2025.1.3 for Tableau Server and prior to 2024.2.12 and 2023.3.19 for Tableau Desktop. The CVSS v3.1 base score is 9.3, indicating critical severity, with an attack vector of local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C). The impact on confidentiality, integrity, and availability is high, as successful exploitation could lead to full system compromise, data theft, or disruption of analytics services. Although no known exploits have been reported in the wild yet, the vulnerability's nature and critical score suggest that exploitation could be straightforward once local access is obtained. The issue was reserved in February 2025 and published in August 2025, with patches expected or already released in the specified fixed versions. The vulnerability underscores the risks associated with file upload handling and type safety in complex software systems like Tableau, widely used for business intelligence and data visualization.

The potential impact of CVE-2025-26496 is severe for organizations using affected versions of Tableau Server and Tableau Desktop. Successful exploitation allows an attacker with local access to execute arbitrary code, potentially leading to full system compromise. This can result in unauthorized access to sensitive business intelligence data, manipulation or deletion of critical analytics reports, and disruption of data visualization services. Given Tableau's role in decision-making and data analysis, such a compromise could lead to significant operational downtime, loss of data integrity, and exposure of confidential corporate information. The vulnerability's ability to affect confidentiality, integrity, and availability simultaneously elevates the risk profile. Organizations with large deployments of Tableau, especially those handling sensitive or regulated data, face increased risk of data breaches and compliance violations. Additionally, the local access requirement means insider threats or attackers who have gained initial footholds on internal networks could leverage this vulnerability to escalate privileges and move laterally within enterprise environments.

To mitigate CVE-2025-26496, organizations should immediately upgrade affected Tableau Server and Tableau Desktop installations to versions 2025.1.3, 2024.2.12, 2023.3.19, or later as provided by Salesforce. Until patches are applied, restrict local access to Tableau servers and desktops to trusted personnel only, employing strict access controls and monitoring. Implement robust endpoint security solutions to detect and prevent unauthorized local access or suspicious file upload activities. Employ application whitelisting and privilege restrictions to limit the ability of attackers to execute arbitrary code even if they gain local access. Conduct regular audits of user accounts and permissions on Tableau systems to minimize insider threat risks. Additionally, monitor logs for unusual file upload or execution behavior within Tableau environments. Organizations should also consider network segmentation to isolate Tableau servers from less trusted network zones, reducing the likelihood of attackers gaining local access. Finally, maintain an incident response plan that includes procedures for rapid patch deployment and forensic analysis in case of exploitation.