CVE-2025-26495

CVE-2025-26495 is a Cleartext Storage of Sensitive Information vulnerability (CWE-312) in Salesforce Tableau Server. The flaw causes Personal Access Tokens (PATs), which serve as authentication credentials, to be logged in plaintext within logging repositories. This affects Tableau Server versions prior to 2022.1.3, 2021.4.8, 2021.3.13, 2021.2.14, 2021.1.16, and 2020.4.19.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable remotely over the network with low complexity, no privileges, and no user interaction required. Unauthenticated attackers can access the logging repositories to extract the exposed PATs, achieving high-impact confidentiality loss that could enable further unauthorized access to Tableau Server functionalities or data.

Salesforce advisories recommend upgrading to the specified patched versions (2022.1.3 or later, 2021.4.8 or later, and equivalents for other branches) to mitigate the issue. Additional details on the vulnerability and remediation are provided in the official advisory at https://help.salesforce.com/s/articleView?id=000390611&type=1.