📊 HiddenMerit Daily · Issue 10
Focus on Database Frontiers, Practical Insights for DBAs May 5, 2026 | 5 Selected Global Breaking News
01|OceanBase Fully Discloses Global Business for First Time: Covering Over 1.3 Billion Users, Overseas Revenue Up 200%
On May 3, at the Infinity2026 conference held in Kuala Lumpur, Malaysia, OceanBase for the first time fully disclosed its global business progress, and simultaneously announced the launch of its Global Support Center in Kuala Lumpur, promising 7×24 hour response – another core hub following its Singapore international headquarters. Public data shows that in the fintech sector, OceanBase has served over 100 enterprises, covering more than 20 e-wallets and over 50 payment platforms, with its customers collectively covering more than 1.3 billion end users. In traditional finance sectors such as banking, it has served over 400 financial institutions, including banks, insurance companies, and wealth management firms, with more than 60% deploying OceanBase in their core business systems. Customers include cross‑border institutions like HSBC and Hang Seng Bank. Among its benchmark clients, the Philippines’ top national super app GCash reduced storage space by 70% and resource costs by 40% after migration, while Malaysia’s TNG eWallet, which has over 26 million verified users, passed an extreme stress test of 40,000 transactions per second with zero downtime, with OceanBase’s help. The company also plans to introduce a new storage‑compute separation architecture and a lower pricing system for its overseas public cloud version. In addition, OceanBase has open‑sourced 3 million lines of core code, and community participants now exceed 500.
· DBA Perspective: The real‑world data from GCash and TNG is highly compelling – 70% storage compression, 40% resource cost reduction, 40,000 TPS zero‑down‑time stress test. “Compression technology” and “online DDL” are the production‑level features that DBAs care about most, and OceanBase has demonstrated their industrial maturity with solid data. DBAs should focus on: first, OceanBase’s full‑chain migration tooling (especially heterogeneous data sync capabilities); second, the new operational models brought by storage‑compute separation architecture. As domestic databases gain market credibility to challenge traditional commercial databases, the dividend from building skills in this ecosystem will remain reliably strong for the next 3‑5 years. · CTO Perspective: From supporting “Double 11” traffic peaks to empowering Southeast Asian national‑level wallets, OceanBase’s distributed architecture has proven its endurance in massive concurrency scenarios. Overseas revenue growth of 200% shows that the global expansion of domestic databases has moved from “going out” to “digging in.” For CTOs, domestic products like OceanBase and GaussDB, along with international cloud databases like AWS Aurora and Google AlloyDB, have become mainstream options that need to be included in evaluation lists – especially well‑suited for scenarios demanding strong consistency and high concurrency, such as financial payments. · Investor Perspective: Covering 1.3 billion end users and 200% overseas revenue growth demonstrates OceanBase’s commercialisation potential in the global market. More importantly, its customer structure has shifted from “internet businesses” to “financial core systems” – over 60% deployments in banks’ core businesses, implying a strong technology moat and customer stickiness. Its open‑source strategy and the planned new pricing system for storage‑compute separation will further expand its developer ecosystem reach.
02|Oracle 26ai First Quarterly RU (23.26.2.0.0) Released: Version Number Changes, AI‑Powered Security
Oracle 26ai’s first quarterly RU (Release Update, version 23.26.2.0.0) became available on May 2, marking the full adoption of Oracle’s new quarterly patch rules – 23.26.x is fixed, with the third digit representing the quarter (23.26.2 corresponds to Q2 2026). This update includes fixes for a total of 481 CVEs across 28 product families, including Oracle Database, MySQL, and Fusion Middleware. Among them, Oracle Communications received 139 patches, Oracle Financial Services 75, Oracle Fusion Middleware 59, MySQL 34, and Oracle Database Server 26. It is particularly noteworthy that Oracle, for the first time, leveraged cutting‑edge AI large models (including Anthropic Claude Mythos Preview and OpenAI Trusted Access for Cyber) to assist in identifying and fixing security vulnerabilities. The proportion of remotely exploitable vulnerabilities without authentication is extremely high. Oracle warns that “attackers continue to exploit existing vulnerabilities” and strongly recommends that enterprises upgrade to 19c or 26ai as soon as possible and keep up with the latest RUs.
· DBA Perspective: The new quarterly RU maintenance discipline is now formally established. It is recommended to incorporate quarterly patches into your regular O&M cadence. In this RU, MySQL Server received 34 patches, with 3 vulnerabilities remotely exploitable – and since MySQL 8.0 is already EOL, unupgraded production environments will face long‑term security risks, as information about older version vulnerabilities is rapidly being weaponised by attackers. · CTO Perspective: The most significant highlight of Oracle 26ai’s first RU is “AI‑powered security” – using large models to assist in vulnerability discovery and patching. This is a paradigm innovation in database security capability. For decision‑makers, this affects not only security response efficiency but also the overall O&M management cadence. It needs to be evaluated whether it fits the internal change management processes of your organisation. · Investor Perspective: Oracle is simultaneously building a deep and coherent “database + AI” story from multiple directions (kernel AI, O&M AI, security AI). The narrative is cohesive, but the market ultimately watches the real growth rate of service revenue and cloud database renewal rates. The commercialisation cycle of AI capabilities needs continuous tracking.
03|MySQL 9.7 LTS Officially Released: AI‑Grade Capabilities Delivered to Community Edition
MySQL 9.7.0 was officially released as the latest LTS (Long‑Term Support) version on April 21, 2026, offering approximately 8 years of support (5 years standard + 3 years extended). MySQL 9.7 is maintained in parallel with 8.4.9 LTS, but puts stronger emphasis on open community access to new features. Key new features include: Improved VECTOR type – supports multi‑dimensional embedding storage and hybrid queries combining “structured filters + vector similarity” within a single database, with DISTANCE() function supporting Euclidean, dot product, and cosine distances; Hypergraph Optimiser community edition – significantly improves optimiser enumeration capabilities for multi‑table JOINs (especially 10+ tables, star/snowflake schemas); Full DML support for JSON Duality Views – allows developers to store data as relational tables while reading/writing the same data through JSON document views, greatly reducing ORM mapping overhead; Complete removal of mysql_native_password – full transition to caching_sha2_password (with new PBKDF2 storage format to support smooth migration). A webinar for MySQL 9.7 LTS will be held on May 12.
· DBA Perspective: This is a historic turning point – MySQL LTS versions are no longer a moat for Enterprise Edition monetisation, but rather an avenue to deliver AI‑grade capabilities (vector search, complex JOIN optimisation) to the broader community. For those still worried about MySQL 8.0 EOL, the migration path is now very clear. The most urgent action is to identify all old drivers still using mysql_native_password, perform password plugin upgrades in a staging environment, assess application compatibility, and then evaluate a direct migration from 8.0.x to 9.7 LTS. · CTO Perspective: 9.7 LTS releases multiple core Enterprise Edition capabilities (in‑database vector search, complex JOIN optimisation) to the community. For technology decisions, this significantly reduces vendor lock‑in risks and commercial licensing costs. Decision‑makers can consider whether to transition to 9.7 early based on the cost‑benefit analysis of “new projects” or “full migration of core systems.” · Investor Perspective: Oracle’s new policies for MySQL community governance are gradually translating into tangible technology openness. This will have a sustained valuation impact on MariaDB and other MySQL‑compatible products. Differences in community activity will increasingly manifest in iteration speed and market recognition.
04|SAP Announces Acquisition of Data Lakehouse Platform Dremio to Build an Open AI Data Platform
On May 4, SAP SE officially announced that it has reached an agreement to acquire Dremio. The specific transaction amount was not disclosed, and the acquisition is expected to close in Q3 2026. Dremio is an open source, high‑performance data lakehouse platform built on Apache Iceberg. After the acquisition closes, Dremio’s technology will be deeply integrated with SAP Business Data Cloud and SAP HANA Cloud, merging SAP and non‑SAP data to provide enterprises with a unified, open AI data infrastructure. Dremio’s unique serverless elastic architecture, Polaris open data catalog, and Iceberg REST Catalog API will help users achieve federated analytics on the industry‑standard open table format Apache Iceberg. SAP CTO Philipp Herzig explicitly stated: “The reason enterprise AI fails to create value is not the models themselves – it is that data is not ready for AI agents. Dremio removes this bottleneck.”
· DBA Perspective: This acquisition signals that “data fragmentation” has become the biggest obstacle to AI implementation. Dremio’s core technical approach is to “eliminate ETL” (federated analytics via Apache Iceberg, allowing data to be accessed across engines without moving it). This will have a profound impact on the traditional DBA skillset around data warehousing pipelines. DBAs need to start learning about new open table formats and metadata management tools like Iceberg and Polaris, and adapt early to this next‑generation technology shift. · CTO Perspective: The core logic behind SAP’s acquisition of Dremio is very clear – not to insist on “SAP data can only be processed by SAP systems”, but to use an open data lakehouse to unify and federate both SAP and non‑SAP data, creating a truly “AI‑ready” data environment for AI agents. This is an important inspiration for CTOs selecting enterprise‑grade AI data infrastructure: an open, scalable data foundation is more sustainable than a short‑sprint closed integration approach. · Investor Perspective: Traditional enterprise giant SAP acquiring data infrastructure strongly validates the strategic value of data platforms in the AI era. The next potential M&A targets are likely to be startups with deep technical moats in “open table formats” or “serverless data lakehouses.”
05|Twenty‑Year‑Old Vulnerability Exposed: Wiz ZeroDay.Cloud Conference Reveals Major PostgreSQL pgcrypto Flaw
At Wiz’s ZeroDay.Cloud security conference, security researchers disclosed a set of security vulnerabilities that have lain dormant in the core PostgreSQL extension pgcrypto for two decades. As PostgreSQL’s built‑in cryptographic extension module, pgcrypto is almost a standard dependency for virtually all high‑security PostgreSQL deployments. These aged vulnerabilities could allow an authenticated attacker to trigger memory corruption via specific function paths, leading to database instance crashes or even remote code execution. An emergency patch has been pushed by the community. The security community strongly recommends that all PostgreSQL users upgrade immediately and review their use of pgcrypto.
· DBA Perspective: The twenty‑year dormant vulnerabilities sound a sufficiently heavy alarm – the security assumption that “long history = battle‑tested code” is completely overturned in this case. pgcrypto is a de facto dependency for many core systems, but very likely its security implementation has not been reviewed for a long time. DBAs in high‑security environments should quickly inventory their dependency chains on pgcrypto and apply the patch as soon as possible. · CTO Perspective: Hidden long‑cycle vulnerabilities in critical open‑source components can shake the trust foundation of the entire technology stack. Given the extremely high reliance on the pgcrypto module in enterprise security and compliance scenarios, this incident again reminds technical leaders that open source does not equate to security, and maturity does not mean immunity to attacks. Enterprises should establish continuous code review or dynamic scanning access mechanisms for key open‑source modules within their security baselines. · Investor Perspective: Similar to the XZ backdoor crisis and Log4j, “supply chain weaknesses in foundational open‑source modules” are becoming a soft spot for enterprise security purchasing. Security companies that provide deep scanning, vulnerability discovery, and automated patch management for open‑source components will enjoy high recognition in enterprise security budgets. This incident will also directly accelerate the shift of enterprise security budgets toward SCA (Software Composition Analysis) tools and open‑source vulnerability management.
📅 Recent Database Hot Topics Recap
Date Event Core Highlights May 2 Oracle 26ai first quarterly RU (23.26.2.0.0) released AI‑powered security, new high‑frequency quarterly patch cadence established May 3 OceanBase fully discloses global business progress Covering 1.3B users, overseas national‑level wallet cases May 4 SAP announces acquisition of data lakehouse platform Dremio Open AI data infrastructure strategy materialised May 4 Wiz conference reveals 20‑year‑old PostgreSQL vulnerability Major flaw in pgcrypto module, urgent patching needed May 12 MySQL 9.7 LTS webinar Vector + Hypergraph + JSON Duality features fully open May 29 Tencent Cloud “Database + AI” product launch Domestic AI‑In‑Database roadmap realised
📌 Issue Summary
News Core Keywords DBA Actions CTO/Decision‑Maker Focus Investor Signals OceanBase fully discloses global business 1.3B users, overseas revenue +200%, zero‑down‑time stress test Closely follow OceanBase migration tooling & distributed tuning; expand career opportunities abroad Include leading domestic distributed products in global tech evaluation Financial core system penetration rising; tech moat and customer stickiness grow together Oracle 26ai first quarterly RU released High‑frequency quarterly patches, AI‑powered security, version number change Incorporate quarterly RUs into O&M baseline; immediately address EOL 8.0 security risks Assess adaptability of high‑frequency Oracle changes to internal O&M processes Ability to deliver “database + AI” security narrative reflected in renewal rates MySQL 9.7 LTS released Vector search open‑sourced, Hypergraph complex JOIN optimisation, legacy password plugin removed Immediately identify old clients relying on mysql_native_password; plan grey‑scale upgrade Community‑edition AI‑grade capabilities offer cost‑effective alternative to Oracle Enterprise Edition Increased openness affects valuation of MariaDB and other MySQL‑compatible products SAP acquires Dremio Iceberg data lakehouse, federated analytics, ETL elimination Learn Apache Iceberg & Polaris catalogue early; adapt to data warehouse modernisation Open data foundation more sustainable than closed integration for AI infrastructure Data infrastructure M&A picks up; tech moat drives valuation of startups Wiz ZeroDay.Cloud exposes pgcrypto 20‑year flaw Foundational open‑source module, 20‑year dormant vulnerability, memory corruption & RCE risk Immediately inventory production use of pgcrypto and apply patches Add continuous code review mechanisms for critical open‑source modules in security baselines Enterprise security budgets shift decisively toward open‑source vulnerability scanning & management
HiddenMerit Team Production Slogan: 绩优隐于内,金石启新程 | Hidden deep. Merit bold. Forge ahead.
