CVE-2025-26495

High

Published: 11 February 2025

Published

11 February 2025

Modified

29 October 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0012 30.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26495 is a high-severity Cleartext Storage of Sensitive Information (CWE-312) vulnerability in Tableau Tableau Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-9 (Protection of Audit Information) and SC-28 (Protection of Information at Rest).

Threat & Defense at a Glance

What attackers do: exploitation maps to Credentials In Files (T1552.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification, reporting, and correction of system flaws, directly addressing this cleartext logging vulnerability through patching to the recommended Tableau Server versions.

AU-9 Protection of Audit Information good match

prevent

AU-9 requires protection of audit information and logging tools from unauthorized access, modification, and deletion, preventing unauthenticated attackers from extracting plaintext PATs from logging repositories.

SC-28 Protection of Information at Rest good match

prevent

SC-28 implements cryptographic mechanisms to protect sensitive information like PATs at rest in logs, ensuring confidentiality even if repositories are accessed.

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Cleartext storage of PATs in log files directly enables extraction of unsecured credentials from files.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Cleartext Storage of Sensitive Information vulnerability in Salesforce Tableau Server can record the Personal Access Token (PAT) into logging repositories.This issue affects Tableau Server: before 2022.1.3, before 2021.4.8, before 2021.3.13, before 2021.2.14, before 2021.1.16, before 2020.4.19.

Deeper analysisAI

CVE-2025-26495 is a Cleartext Storage of Sensitive Information vulnerability (CWE-312) in Salesforce Tableau Server. The flaw causes Personal Access Tokens (PATs), which serve as authentication credentials, to be logged in plaintext within logging repositories. This affects Tableau Server versions prior to 2022.1.3, 2021.4.8, 2021.3.13, 2021.2.14, 2021.1.16, and 2020.4.19.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable remotely over the network with low complexity, no privileges, and no user interaction required. Unauthenticated attackers can access the logging repositories to extract the exposed PATs, achieving high-impact confidentiality loss that could enable further unauthorized access to Tableau Server functionalities or data.

Salesforce advisories recommend upgrading to the specified patched versions (2022.1.3 or later, 2021.4.8 or later, and equivalents for other branches) to mitigate the issue. Additional details on the vulnerability and remediation are provided in the official advisory at https://help.salesforce.com/s/articleView?id=000390611&type=1.