Skip navigation

Severity: Critical


Summary: The Tableau Server installation process leaves an account enabled that can allow an unauthorized remote attacker to gain access and perform administrative functions. This vulnerability does not affect installations that are configured to use Active Directory authentication.


Impact: Allows unauthorized disclosure of information, modification of information, and denial of service.  


Vulnerable Versions: 

* 7.0 to 8.2

* 8.3 (through 8.3.17)

* 9.0 (through 9.0.20)

* 9.1 (through 9.1.16) 

* 9.2 (through 9.2.15) 

* 9.3 (through 9.3.11)

* 10.0 (through 10.0.5) 

* 10.1 (through 10.1.3)


Conditions: Tableau Servers configured for local authentication with SAML, OAuth, OpenID, or TLS mutual authentication are vulnerable. To determine if your installation of Tableau Server is configured for local authentication, see the document Questions and Answers regarding ADV-2017-001.

Resolution: To mitigate this vulnerability, immediately change the user password and permissions.  See the document Questions and Answer regarding ADV-2017-001 for the necessary steps. 

After changing the user, schedule an upgrade to a non-vulnerable version of Tableau Server as soon as possible.


CVSSv3 Base Score: 9.8 (Critical)

CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


Acknowledgement: This vulnerability was found by a customer.