📊 HiddenMerit Daily · Issue 14
Focus on Database Frontiers, Practical Insights for DBAs May 9, 2026 | 5 Selected Global Breaking News
01|AI Infrastructure Security Alert: Severe Pre‑Auth SQL Injection in LiteLLM Sparks Storm
On May 6, the Bishop Fox security research team publicly released a technical reproduction report for CVE-2026-42208. This vulnerability exists in the popular open‑source AI gateway LiteLLM proxy developed by BerriAI, affecting versions 1.81.16 through 1.83.6. An attacker can send specially crafted requests to public endpoints (e.g., LLM API routes like /v1/chat/completions) without any authentication. Because the server returns the same 401 HTTP response for every probe, the attacker uses PostgreSQL’s pg_sleep() function for time‑based blind injection to evade detection. More seriously, the default Docker Compose deployment grants the application user superuser privileges on the database, enabling the attacker not only to steal sensitive metadata but also to perform full read/write operations on all tables managed by LiteLLM – including the LiteLLM_VerificationToken table which stores all virtual keys. Active in‑the‑wild exploitation was observed approximately 36 hours after the GitHub advisory. Upgrade to version 1.83.7 or later immediately.
Separately, the PraisonAI multi‑agent system just patched another series of critical SQL injection vulnerabilities (CVE-2026-41496, CVSS 8.1) affecting nine database backends, highlighting ongoing security challenges in multi‑agent AI applications.
· DBA Perspective: This is a wake‑up call for AI data infrastructure security. In the past, DBAs focused on SQL injection at the traditional database application layer. But an AI gateway like LiteLLM aggregates all of an enterprise’s LLM API keys and routing policies – once compromised, the attacker gains full access to every downstream model. As AI call volumes surge, DBAs must step in to audit third‑party AI proxy middleware, paying close attention to the principle of least privilege in database connection configurations (default superuser access is a catastrophic design) and establish baselines for detecting anomalous AI API calls. · CTO Perspective: AI gateways are becoming single‑point‑of‑failure amplifiers in the enterprise stack – a single vulnerability can cripple all model access. Deploy strict zero‑trust network isolation for all AI middleware, decouple the AI proxy’s database backend from primary data stores, and enforce monthly rotation of large‑model access keys. · Investor Perspective: When enterprises procure AI agent orchestration platforms, they are now embedding security audit requirements into contracts. When investing in AI infrastructure startups, technical due diligence must focus on the least‑privilege architecture of the data backend and mandatory parameterised queries. Vendor security response times should be factored into valuation discount models.
02|Dameng Wins Beijing Telecom Production Project, Deepening Industry Penetration
According to the direct procurement announcement published on May 5 (China Telecom Beijing Branch Production Project Direct Procurement Notice No. 20260450601), Wuhan Dameng Database Co., Ltd. has officially won the bid for the Beijing Telecom production project.
This is Dameng’s latest consecutive breakthrough in the government and enterprise sector. On April 22, at the 2026 China Database Technology and Industry Conference, Dameng launched its full range of new products including DM9, GDMBASE V4.0, and the DAMENG PAI V2.0 all‑in‑one machine. Guangxi Computing Centre also recently procured 39 sets of Dameng databases. In the telecom sector, Dameng appeared at the 2026 Mobile Cloud Conference on May 8, demonstrating how DM9’s “five‑in‑one” architecture (centralised + distributed + TP + AP + AI) helps operators achieve efficient data management.
· DBA Perspective: Telecom operators are among the most complex migration environments – user billing queries, network performance analysis, and signalling data storage demand extremely high concurrency and real‑time capability. Dameng’s consecutive wins in the telecom sector confirm that its underlying technology has passed rigorous validation in batch‑stream integration and real‑time data processing. For DBAs planning Xinchuang migrations, Dameng’s smooth adaptation process for legacy Oracle application objects and syntax provides a reference for designing migration drill SOPs. · CTO Perspective: DM9’s “five‑in‑one” architecture answers a long‑standing technology selection dilemma – previously you had to choose between centralised and distributed, build ETL bridges between TP and AP, and maintain separate on‑prem and cloud deployments. Now Dameng unifies everything in a single database kernel. CTOs can add Dameng to their shortlist for heterogeneous core system transformation, starting with low‑sensitivity environments like billing history databases or operational reporting warehouses for POC validation. · Investor Perspective: Consecutive wins in operator and government heavy‑weight projects, combined with strong Q1 2026 financial results (revenue up 59% YoY to RMB 410M, gross margin 96.6%), indicate that Dameng is shifting from “policy‑driven procurement” to technology‑competitiveness‑driven adoption in the Xinchuang arena. The steady stream of government and enterprise orders is continuously adding valuation accelerators for the secondary market. The key to watch is Dameng’s breakthrough in financial core transaction scenarios.
03|CETC Kingware’s KingbaseES in Medical Xinchuang: Real‑World Testing on Billion‑Record HIS with High Concurrency
CETC Kingware (formerly Renda Kingware) recently published a technical blog disclosing large‑scale production results of KingbaseES in core healthcare system modernisation. During a full migration of a tertiary hospital’s HIS (Hospital Information System), covering 89 application systems and over 3.1 billion records of historical data, the migration achieved zero interruption of core clinical services during the cutover window, and response latency under high concurrency remained at millisecond level after migration. In a planning case for a municipal geriatric hospital facing a capacity increase from 3,150 beds to 8,600 beds, the legacy architecture could not support the explosive growth in outpatient registrations and insurance settlement concurrency. After adopting a KingbaseES cluster architecture, the system successfully passed concurrency stress tests. In another joint case between a medical software vendor and a municipal hospital, Dameng DM8 with its DMDataWatch active‑standby cluster also delivered financial‑grade high availability and strong data consistency.
· DBA Perspective: Medical Xinchuang has long been considered the “toughest nut to crack” – HIS involves tightly coupled processes like registration, prescribing, payment, admission, and discharge. A slight mistake during database failover can cause a service‑wide outage. CETC Kingware’s zero‑cutover‑interruption delivery across 89 application systems and 3.1 billion records provides a reusable migration methodology for DBAs in the healthcare sector – especially the use of “dual‑track parallel validation” and “end‑to‑end data reconciliation” to ensure cross‑system data consistency. · CTO Perspective: The technology foundation for core healthcare systems has shifted from “proprietary hardware + foreign database” stacks to a “software‑defined elastic architecture” based on domestic databases. KingbaseES clusters have proven their stability across multi‑campus, high‑concurrency scenarios – meaning the path to healthcare group‑wide reform has been cleared. CTOs should bring database cluster selection forward to the early planning stages of large medical Xinchuang projects. · Investor Perspective: KingbaseES’s full‑migration success in a tier‑3 hospital core system validates its strong stability in the most challenging segment of commercial database replacement. This accelerates the penetration of medical Xinchuang from central government to local tier‑3 hospitals, driving Kingware’s potential order growth in the healthcare sector over the next three years.
04|SAP Buys Two Data/AI Companies in One Week: €1B for EU Structured Data AI Lab
On May 4, SAP announced the acquisition of open‑source lakehouse platform Dremio (expected to close in Q3 2026), integrating its technology into SAP Business Data Cloud to build an Apache Iceberg‑native lakehouse. On May 6, SAP announced the acquisition of German AI startup Prior Labs and revealed a plan to invest €1 billion over four years to build a “frontier AI lab” for structured data in Germany. The lab will operate as a relatively independent R&D entity, continuously maintaining open‑source versions while leveraging SAP AI Core, Business Data Cloud, and the Joule agent layer to rapidly embed research outcomes into SAP products. SAP’s Q1 2026 cloud revenue grew 27% year‑on‑year, providing foundational support for these acquisitions. SAP previously spent approximately $11 billion to acquire data streaming platform Confluent, further strengthening its real‑time data processing capabilities for the AI era.
· DBA Perspective: Dremio’s core capability is federated analysis across cross‑platform data sources based on the Iceberg standard without moving data. This not only breaks down data silos but directly challenges traditional ETL pipelines. With Dremio technology integrated into Business Data Cloud, the DBA’s role will further evolve from “database custodian” to “enterprise data lakehouse federated architect”. Mastering Iceberg table format design and Polaris metadata management will become a key competency over the next three years. · CTO Perspective: SAP’s two acquisitions in seven days, plus a billion‑euro structured data AI lab – the strategic intent is clear: capture leadership in enterprise structured data AI. For CTOs in the SAP ecosystem, the future technology roadmap becomes clearer: a unified data foundation (Iceberg) + a unified AI inference engine (Prior Labs TFMs), dramatically reducing data movement costs between SAP and non‑SAP systems. For other CTOs, this string of moves signals that data format standardisation (Iceberg) and tabular representation of AI models are battlegrounds for 2026‑2027. · Investor Perspective: SAP’s sequential acquisitions of Dremio, Prior Labs, and Confluent mark the entry of enterprise AI data infrastructure into a “jigsaw‑style integration” phase. The €1 billion structured data AI lab signals explosive growth in demand for parameterised vertical small models for enterprise data. Going forward, watch for startups in the Iceberg + REST API ecosystem – those focusing on metadata services, data federation engines, and data governance will become strategic M&A targets.
05|AI‑In‑Database Wave: MongoDB 8.3 for AI Speed, Oracle 26ai with 300+ New Features
Two major database vendors released AI‑centric versions in a single week: On May 7, at the .local conference in London, MongoDB released MongoDB 8.3, positioned as “the database built for AI speed”. Compared to 8.0, it delivers +35% write throughput, +45% read throughput, and +15% ACID transaction throughput without any application code changes. Atlas Vector Search adds a public preview of Automated Voyage AI Embeddings, automatically generating vector embeddings on data write to provide accurate real‑time context for AI agents. Oracle 26ai, the latest LTS release, includes over 300 new features focused on AI capabilities and developer productivity, with enhancements to SQL and PL/SQL language features and new data types.
Meanwhile, IBM Db2 12.1.5 is scheduled for general availability on June 9, featuring AI‑driven database management including an enhanced Db2 Genius Hub that can automate routine DBA tasks within a rule framework. IBM previously supported AWS Bedrock and IBM watsonx.ai; this update adds support for Microsoft Azure AI Foundry.
· DBA Perspective: The three giants (Oracle, MongoDB, IBM) all announced major AI database updates this week. DBAs should note: AI capabilities are rapidly becoming standard competitive features in database products. MongoDB 8.3’s throughput improvements require no application code changes, demonstrating that database engines are undergoing fundamental performance renewals for the AI era. In the coming year, ‘AI workload optimisation capability’ will significantly influence technology selection decisions. DBAs can begin preparing for automated embedding validation and vector search scenario research in MongoDB. · CTO Perspective: Oracle 26ai as an LTS release means Oracle users can expect stable iterations of AI integration features for years to come. MongoDB 8.3’s emphasis on accelerating AI while maintaining full backwards compatibility lowers upgrade risk for existing projects. · Investor Perspective: MongoDB is down approximately 35.7% year‑to‑date. The 8.3 release, together with the Q1 FY2027 earnings announcement on May 20, will be a key market test for the commercialisation progress of AI databases. Oracle 26ai’s LTS roadmap and regular AI feature updates reinforce long‑term enterprise upgrade willingness, helping stabilise recurring revenue from its database business.
📅 Recent Database Hot Topics Recap
Date Event Core Highlights May 4 SAP announces acquisition of Dremio + Confluent Iceberg‑native lakehouse integration; seizing the AI‑era data foundation May 5 Dameng wins Beijing Telecom production project Another win in the telecom operator sector May 6 Bishop Fox discloses LiteLLM pre‑auth SQL injection CVE-2026-42208 AI infrastructure security alarm May 6 SAP announces acquisition of Prior Labs, €1B for structured data AI lab Table Foundation Models for structured data inference become a focus May 6 CETC Kingware KingbaseES medical Xinchuang case disclosed Tertiary hospital HIS system with billion‑record high concurrency, zero downtime May 7 MongoDB 8.3 GA Designed for AI speed; throughput gains without code changes May 8 PraisonAI patches CVE-2026-41496 affecting 9 DB backends SQL injection risks in multi‑agent AI systems May 8 Oracle 26ai LTS released 300+ new features; AI + developer experience upgrades May 8 Dameng appears at 2026 Mobile Cloud Conference DM9’s “five‑in‑one” architecture empowering operator digital transformation May 8‑9 Multiple high‑severity CVEs disclosed AI infrastructure becoming primary attacker target
📌 Issue Summary
News Core Keywords DBA Actions CTO/Decision‑Maker Focus Investor Perspective LiteLLM severe SQL injection Pre‑auth blind injection, AI gateway, superuser privilege leak Audit AI middleware DB configs; enforce least privilege Zero‑trust network isolation; enforce API key rotation Technical DD must check parameterised query architecture CETC Kingware KingbaseES medical Xinchuang HIS high concurrency zero downtime, 3.1B record migration Use dual‑track parallel validation to build cross‑app data consistency SOPs Domestic DB clusters become a new choice for healthcare group reform Closed‑loop tertiary core system migration opens medical Xinchuang market Dameng consecutive telecom wins DM9 five‑in‑one architecture, multiple operator contracts Learn Dameng’s smooth adaptation for legacy Oracle syntax Shortlist Dameng for POC in heterogeneous core system transformation Government/enterprise orders + strong earnings reinforce valuation SAP acquires Dremio & Prior Labs Iceberg lakehouse, Table FMs, structured data AI lab Master Iceberg table format & Polaris metadata; evolve into lakehouse federated architect Data format standardisation + tabular AI models are must‑win battlegrounds Iceberg ecosystem startups become strategic M&A candidates AI database three‑giant releases MongoDB 8.3 speed, Oracle 26ai 300+ features, Db2 AI automation AI workload optimisation capability will sway selection decisions; start vector search research Smoothly upgrade existing AI systems; leverage MongoDB 8.3 compatibility May 20 earnings reports will validate AI database commercialisation
HiddenMerit Team Production Slogan: 绩优隐于内,金石启新程 | Hidden deep. Merit bold. Forge ahead.
