Tableau Next Agent Security Risks

Data Engineering Agents tableau.com Tight Operators
AI RISK QUADRANT POSITION DEFENSE CONTROLS (9) ATTACK SURFACE (4.8) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
3.85
Critical
Attack Surface
4.8
Medium
Blast Radius
3.38
Medium
Defense Controls
9
Medium
About The Agent

Tableau Next is a cloud-hosted agentic analytics platform running on Salesforce Hyperforce that deploys three AI agents — Data Pro for data preparation, Concierge for natural language query, and Inspector for proactive monitoring — as Agentforce skills operating within the operator's Tableau Cloud environment. The agents query enterprise data warehouses through semantic data models, generate visualizations and analytical summaries, translate insights into workflow actions across Salesforce and third-party applications, and share results via Slack, while an open-source MCP server extends the analytics surface to any MCP-compatible AI client.

About the AI Risk Quadrant

Tight Operators placement reflects an agent whose moderate attack surface combines multi-channel input ingestion with enterprise data access and downstream output delivery, paired with a comparatively modest blast radius constrained by the vendor-hosted platform boundary. Tableau Next inherits meaningful vendor-managed controls through the Einstein Trust Layer — prompt defense, data masking, toxicity scoring, and audit logging — but the convergence of untrusted input, sensitive enterprise data access, and external egress channels elevates the composite attack surface score near the quadrant boundary.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. The dominant exposures concentrate where untrusted input enters through multiple channels and where agent output reaches external consumers, while the vendor-hosted platform boundary limits blast radius to data access rather than host compromise.

Key Input Risks
Untrusted content from natural language prompts, MCP protocol queries, and CRM record fields reaches the agent reasoning loop through multiple channels. The Einstein Trust Layer provides prompt defense and topic classification, but prompt injection signal detection remains in beta and the breadth of input channels expands the indirect injection surface. [9][17]
Key Execution Risks
Agents execute SQL queries against connected data warehouses within the vendor-hosted platform boundary. No shell execution is exposed, but historical CVEs in the shared Tableau codebase have demonstrated RCE and code inclusion paths in server-side processing. [3][4][5]
Key Action Risks
The platform ships default email actions with mandatory approval gates, but custom Agentforce actions can fire autonomously when the operator does not enable the opt-in HITL gate. The workflow engine translates analytical insights into actions in third-party applications without a granular per-action permission model. [10][12]
Key Output Risks
Agent-generated responses include rich visualizations, natural language summaries, and Slack messages that reach downstream consumers outside the platform boundary. Trusted URLs enforcement restricts link generation to vendor-approved domains, limiting the exfiltration surface. [12][17]
Key Monitoring Risks
The Einstein Audit Trail captures prompts, responses, and Trust signals into Data Cloud with pre-built monitoring dashboards and Transaction Security Policies for real-time enforcement. Prompt injection signal detection is available but remains in beta, leaving the real-time detection of novel injection patterns as an operator-managed concern. [11][12]

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Tableau Next sits near the boundary between the lower-risk and moderate-risk quadrants, with vendor-managed controls partially offsetting an attack surface elevated by the simultaneous presence of untrusted input channels, sensitive data access, and external egress paths.

AIRQ Metrics

The agent lands in the Tight Operators quadrant because the blast radius stays below the capability-class threshold while the defense score lifts the composite — though the attack surface sits within a fraction of the boundary, elevated because untrusted input, sensitive data access, and external egress all converge in the same session.

Attack Surface and Blast Radius each scale to ten, Defense Controls to fifteen, and the composite AIRQ Score weighs all three into a single operator-facing metric.

Metric Score Comments
AIRQ Score 3.85 Vendor-managed platform controls partially offset the attack surface, producing a composite in the lower-moderate band.
Blast Radius 3.38 / 10 No host-level execution or file system access keeps every blast factor in the lower bands, with network and credential scope constrained by platform-managed domain and permission controls.
Attack Surface 4.8 / 10 Most surfaces cluster in the moderate band reflecting multi-channel agent design, and the convergence of untrusted input, sensitive data, and egress lifts the composite near the quadrant boundary.
Defense Controls 9 / 15 Vendor-managed controls span five defensive dimensions with documented prompt defense, data masking, multi-tenant isolation, toxicity scoring, and audit logging, placing the agent well above the cohort floor.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The dominant exposures for Tableau Next are the multi-channel input ingestion path — natural language prompts, MCP protocol, CRM record fields — and the rich output surface where agent-generated content reaches downstream consumers via Slack and workflow actions.

Attack Surface Metrics

Nine of ten surfaces sit at moderate architectural exposure reflecting the multi-channel agent design, while memory scores low because the agent operates statelessly within a vendor-managed session boundary.

Each row ties a scored surface to its strongest evidence anchor and an analyst assessment of the architectural exposure on the documented default configuration.

Surface Score Comments
User Input 2 / 4 Multiple input channels including natural language prompts, MCP queries, and CRM data flows reach the reasoning loop with vendor prompt defense and topic classification providing instruction hierarchy separation. [9][17]
External Data 2 / 4 Agents ingest data from enterprise warehouses through semantic models with role-based access controls, and the Einstein Trust Layer provides data masking for sensitive fields before they reach the reasoning loop. [9][10]
Memory 1 / 4 Session-level context only with no cross-session conversational memory; persistent semantic models and business preferences are admin-curated and do not accept automated agent writes. [10]
Reasoning 2 / 4 Multi-step reasoning with visible chain-of-thought explanations and source data attribution; topic classification constrains agent scope to reduce hallucination risk. [17]
Planning 2 / 4 Concierge decomposes analytical queries into steps with user-visible results; Inspector monitors proactively but within a vendor-defined monitoring scope without autonomous task delegation. [18]
Tool Execution 2 / 4 Agents generate and execute SQL queries against connected data sources within the vendor-hosted platform; no shell, file write, or arbitrary code execution is exposed to the agent runtime. [13][14]
Orchestration 2 / 4 Multi-turn conversations and a workflow engine translate insights into downstream actions; Inspector runs vendor-scoped background monitoring without exposing operator-configurable scheduling or daemon capabilities. [16]
Inter-Agent 2 / 4 The open-source MCP server enables external AI applications to query Tableau data with configurable authentication, while Agentforce skill orchestration routes between internal agents through a vendor-managed protocol. [13]
Output Processing 2 / 4 Rich output including visualizations and natural language summaries reaches Slack and third-party applications with Trusted URLs enforcement restricting link generation to vendor-approved domains. [12][17]
Configuration 2 / 4 Semantic model selection allowlists and extension safe lists restrict agent scope, with MCP server authentication defaulting to OAuth for HTTP deployments; the --no-auth flag bypasses authentication but is not the default posture. [13][16]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Tableau Next ingests untrusted content from multiple external channels, accesses enterprise data warehouses holding sensitive business records, and transmits results via Slack messaging, email actions, and MCP responses without a single platform-level control that gates all three paths simultaneously.

Lethal Trifecta · Complete (3 of 3)

Tableau Next exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Web-to-Lead form submissions, natural language prompts, and MCP queries from external AI clients all feed untrusted bytes into the agent reasoning loop. [1][2][6]
  • Sensitive data — Agents query enterprise data warehouses through semantic models, accessing sales records, customer data, and financial metrics scoped to the querying user's full permission set. [10][14]
  • External egress — Agent responses reach external consumers via Slack integration, custom email actions, MCP server responses to external clients, and network-enabled dashboard extensions. [1][12]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. Compromise of a Tableau Next agent reaches the operator's connected data warehouses at the querying user's permission scope but cannot escape the vendor-hosted platform boundary to the operator's host, file system, or infrastructure.

Blast Radius Metrics

No blast factor reaches the maximum band; the highest exposures are network and credential scope at the second tier, constrained by platform-managed domain restrictions and role-based access controls.

Each row ties a blast factor to the operator resource the agent can reach on its documented default, from query-scoped data access to workflow-triggered downstream actions.

Factor Score Comments
Code execution 1 / 4 SQL query execution within the vendor-hosted analytics engine with no shell, interpreter, or arbitrary code execution surface exposed to the agent runtime. [14]
File system access 0 / 4 No direct file system access; all data interaction occurs through platform-managed connectors and semantic data models within Tableau Cloud. [14]
Network access 2 / 4 Outbound requests constrained by Trusted URLs enforcement and extension safe lists; Slack integration and MCP responses provide domain-restricted egress channels. [7][12]
Credential access 2 / 4 Agents operate with the querying user's Tableau permissions and can access data source connection credentials embedded in published workbooks by administrators. [10][14]
Autonomous action 2 / 4 Inspector monitors data proactively and default email workflows include approval gates, but operator-built Agentforce skills execute without mandatory confirmation unless the approval step is explicitly added. [10][15]
Deployment access 1 / 4 The workflow engine triggers downstream actions in Salesforce and third-party applications but cannot modify infrastructure, publish packages, or deploy code. [15][16]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The Einstein Trust Layer delivers prompt defense, data masking, execution isolation, and structured audit logging by default, while action-level approval gates remain partially opt-in for custom Agentforce actions.

Defense Controls Metrics

Higher scores indicate stronger vendor-managed safeguards; the defense total reflects meaningful vendor investment with the weakest link at the action control layer where operator-built Agentforce actions execute autonomously unless the HITL approval gate is explicitly enabled.

Each component is scored on what the vendor ships as a default control, with non-default hardening options noted separately.

Component Score Comments
Input Guardrails 2 / 3 The Einstein Trust Layer provides pattern-based data masking, toxicity scoring, topic classification, and prompt defense directives by default; prompt injection detection remains in beta. [9][17]
Execution Isolation 2 / 3 Agents execute within Salesforce Hyperforce cloud infrastructure with multi-tenant isolation; no user-accessible shell or arbitrary code execution surface is exposed in the documented default. [14]
Action Controls 1 / 3 Default email actions enforce approval gates and semantic model allowlists restrict agent data scope, but operator-configured Agentforce actions execute autonomously unless the HITL gate is explicitly enabled per action. [10]
Output Guardrails 2 / 3 Trusted URLs enforcement blocks agent-generated links to unapproved domains, toxicity scoring filters harmful output, and data masking prevents sensitive patterns from reaching third-party LLMs. [7][9]
Monitoring 2 / 3 Einstein Audit Trail logs prompts, responses, and Trust signals to Data Cloud with pre-built dashboards; Transaction Security Policies enable real-time agent behavior enforcement; SOC 2 and ISO 27001 certifications cover the platform. [11][12]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. The highest-leverage changes for Tableau Next are enforcing human-in-the-loop approval on all custom Agentforce actions and restricting semantic model access to the minimum data scope each agent requires.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require all Web-to-Lead and external form submissions to pass a manual review queue before agent processing — counters the indirect prompt injection path demonstrated by the ForcedLeak chain.
  • Configuration Configure topic classification instructions to reject queries referencing data outside the agent's intended scope and restrict MCP server tool exposure to the minimum required set — counters User Input at the moderate band.
  • Engineering Deploy a pre-processing classifier between CRM record ingestion and the agent reasoning loop that flags records containing instruction-like patterns, informed by automated attack generation techniques demonstrated in academic research. [8]

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Restrict data source connections to read-only credentials scoped to the minimum tables each semantic model requires — counters credential blast at the second tier.
  • Configuration Configure MCP server authentication to OAuth mode exclusively and remove PAT-based access to prevent single-credential session conflicts — counters inter-agent exposure at moderate band.
  • Engineering Wrap the Tableau MCP server deployment behind an API gateway with request-rate limiting and query-content inspection — counters the open MCP query surface.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Mandate human-in-the-loop approval for every custom Agentforce action that writes data or sends messages externally — counters Action Controls at partial coverage.
  • Configuration Configure semantic model selection allowlists per agent to restrict each skill to the minimum data scope required for its function — counters broad data access from the Concierge skill.
  • Engineering Build a custom approval workflow that requires secondary authorization for any agent action that triggers a write to an external system — counters autonomous action blast at moderate tier.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Audit the Trusted URLs allowlist quarterly and remove any expired, unused, or externally acquirable domains — counters the CSP whitelist weakness demonstrated in the ForcedLeak chain.
  • Configuration Disable network-enabled dashboard extensions by default and require per-extension approval via the site safe list — closes the extension-based egress path that bypasses Trusted URLs enforcement.
  • Engineering Instrument outbound Slack messages and MCP responses with a content-inspection hook that blocks payloads containing data patterns matching sensitive field types — counters exfiltration via messaging channels.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Establish a quarterly review cadence for Einstein Audit Trail logs with documented escalation criteria for anomalous agent behavior patterns — counters Monitoring at vendor-documented tier.
  • Configuration Forward Transaction Security Policy alerts to the organization SIEM and configure automated playbooks for high-severity prompt injection signals — counters the beta status of prompt injection detection.
  • Engineering Build a custom Data Cloud dashboard that correlates agent query volume, data scope, and Trust signal anomalies across all Agentforce skills — counters monitoring blind spots for multi-agent orchestration patterns.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. ForcedLeak indirect prompt injection Noma Labs critical-severity vulnerability chain enabling CRM data exfiltration via indirect prompt injection in Agentforce
  2. PipeLeak prompt injection chain Capsule Security independent discovery of indirect prompt injection in Agentforce with full attack chain documentation
  3. Salesforce Security Advisories Vendor advisory page listing Tableau Server CVEs and row-level access control issues with patch status
  4. CVE-2025-52449 RCE via deceptive filenames in Tableau Server EPS modules CVSS 8.5 patched 2025.1.3
  5. CVE-2025-26496 Type confusion in Tableau Server file upload modules CVSS 9.8 patched 2025.1.3

Selected Research

  1. ForcedLeak SaaS Security Alert Nudge Security analysis of ForcedLeak including CSP whitelist weakness and full disclosure timeline
  2. Trusted URLs enforcement for Agentforce TechNadu coverage of mandatory Trusted URLs enforcement for Agentforce and Einstein AI agents
  3. AutoInject RL-based prompt injection attacks Academic preprint on reinforcement learning-based prompt injection attack generation against LLM agents

Vendor Documentation

  1. Einstein Trust Layer for Tableau AI Vendor documentation of Einstein Trust Layer covering data masking and toxicity scoring and zero-data-retention
  2. Trusting Tableau Agent Vendor trust blog on Einstein Trust Layer integration with zero-data-retention and permissions enforcement
  3. Tableau Next Salesforce Compliance Salesforce Compliance Site listing ISO 27001 and SOC 2 certifications for Tableau Next
  4. Securing Agentforce with Trusted Services Salesforce blog on Transaction Security Policies and prompt injection signals for Agentforce
  5. Tableau MCP Server Official open-source MCP server with PAT and JWT and OAuth authentication modes
  6. Tableau Cloud Security Vendor documentation of Tableau Cloud TLS encryption and Hyperforce infrastructure and SQL injection protections

Other Sources

  1. Tableau enters the agentic AI era TechTarget coverage of Tableau Next launch with three agent capabilities and Agentforce integration
  2. Tableau April 2026 New Features Vendor release notes covering Tableau Next MCP launch and semantic model selection allowlists
  3. Agentforce Guardrails and Trust Patterns Salesforce Trailhead module on Agentforce security guardrails and Einstein Trust Layer integration
  4. Agentforce for Analytics in Tableau Next Salesforce Trailhead module on Concierge and Data Pro and Inspector agent capabilities