CVE-2025-26495: Cleartext Storage of Sensitive Information Vulnerability Found in Salesforce Tableau Server

A new security vulnerability (CVE-2025-26495) has been discovered in Salesforce Tableau Server that can lead to Cleartext Storage of Sensitive Information. This issue affects Tableau Server versions before 2022.1.3, before 2021.4.8, before 2021.3.13, before 2021.2.14, before 2021.1.16, and before 202.4.19. The vulnerability involves the storage of Personal Access Tokens (PATs) in logging repositories, which could potentially allow an attacker to gain unauthorized access to sensitive information.

The exploit for this vulnerability is detailed below, along with a brief explanation of the affected versions, links to original references, and a recommended solution to mitigate the risk associated with this vulnerability. Be sure to follow the step-by-step instructions to patch any vulnerable Tableau Server installations.

Exploit Details

The primary cause of this vulnerability is due to the inappropriate storage of PATs in logging repositories. The PATs are stored in cleartext form, rather than being encrypted or hashed, making it possible for an attacker to access and read these tokens with relative ease. Using these tokens, an attacker can potentially gain unauthorized access to sensitive Tableau Server data.

To demonstrate the issue, consider the following code snippet that logs a PAT in cleartext form

// Code snippet demonstrating the logging of a PAT in cleartext form
public void logPersonalAccessToken(String pat) {
    // Log the PAT as a plaintext string
    log.info("Personal Access Token: " + pat);
}

This code snippet showcases the problem, as it logs the PAT in its original, unencrypted form.

Original References

For an in-depth explanation of this vulnerability, as well as its implications and potential risks, please refer to the following sources:

- National Vulnerability Database (NVD) CVE-2025-26495: Link
- MITRE's CVE Entry for CVE-2025-26495: Link
- Tableau Security Advisory for CVE-2025-26495: Link

Solution

To mitigate this vulnerability and protect your Tableau Server installation from potential unauthorized access to sensitive information, it is essential to update your Tableau Server to the latest, secure version. Follow these steps to do so:

1. Review the Tableau Server release notes to determine the most recent, non-vulnerable version: Link
2. Follow the official Tableau Server upgrade instructions to update your server installation to the recommended version: Link

It is also worth considering best practices for software development, such as always encrypting or hashing sensitive information like PATs before storing or logging them.

By implementing these steps, you can ensure that your Tableau Server installation remains secure against the CVE-2025-26495 vulnerability.

Timeline

Published on: 02/11/2025 18:15:47 UTC
Last modified on: 03/04/2025 21:15:14 UTC