📊 HiddenMerit Daily · Issue 20
Focus on Database Frontiers, Practical Insights for DBAs May 15, 2026 | 5 Selected Global Breaking News
01|Alibaba Cloud RDS MySQL 8.4 Officially Launched: First LTS Version Paves EOL Transition Path for 8.0 Users
On May 14, Alibaba Cloud announced the official launch of RDS MySQL 8.4. As the first LTS long‑term support version of the MySQL Community Edition, 8.4 offers a longer lifecycle and higher stability compared to 8.0, and deeply integrates optimisation capabilities from the AliSQL kernel – second‑level column changes, large transaction governance, and replication latency optimisation are all in place, with full compatibility with MySQL 8.0 syntax and plugins, supporting smooth upgrades.
In response to MySQL 8.0 reaching EOL on April 30, Alibaba Cloud introduced a differentiated support strategy: committing to continued kernel‑level maintenance support for existing RDS MySQL 8.0 instances, including security vulnerability fixes, critical bug fixes, and stability enhancements. Users do not need to rush upgrades and can calmly plan a smooth evolution to 8.4. At the same time, smooth upgrade capability from RDS MySQL 8.0 to 8.4 is under development, aiming to provide a one‑click, low‑risk, business‑transparent upgrade experience.
-
DBA Perspective: Alibaba Cloud’s move indeed relieves the pressure on operations teams still anxious about 8.0. If you were worried about business disruptions from a rushed upgrade, you can now confidently tell your boss “the cloud vendor is covering our EOL risk.” However, it is recommended to define a smooth upgrade window in your operational plans as early as possible, test the actual performance benefits of AliSQL kernel enhancements in the 8.4 environment, and avoid being forced into a last‑minute rush after the extended support period ends.
-
CTO Perspective: Alibaba Cloud’s “no anxiety over EOL” strategy is very attractive for reducing decision risk for 8.0 users. For enterprises that have not yet completed migration, this is a cushion that extends the decision window. At the same time, attention should be paid to the buffer bandwidth between the cloud vendor’s extended support period and the subsequent mandatory upgrade deadline, with sufficient budget reserved for a Plan B.
-
Investor Perspective: Alibaba Cloud smooths over user anxiety caused by MySQL EOL through differentiated services. The lock‑in effect on existing customers can sustain steady growth in RDS revenue, but it will also put competitive pressure on the service pricing of other public cloud vendors.
02|PostgreSQL Releases Updates Across Multiple Series: 11 Security Vulnerabilities + 60 Bugs Fixed, PG 14 End‑of‑Life Countdown Begins
On May 14, the PostgreSQL Global Development Group released security updates for all supported versions, including 18.4, 17.10, 16.14, 15.18, and 14.23, fixing a total of 11 security vulnerabilities and over 60 bugs. Two high‑severity CVEs are of particular concern:
- CVE-2026-6472 (Missing privileges in CREATE TYPE): Affects versions 14–18. The object creator can hijack queries that depend on search_path, causing victims to execute arbitrary SQL functions chosen by the attacker.
- CVE-2026-6473 (Integer wraparound leading to out‑of‑bounds write): Also affects versions 14–18. An attacker providing input can cause the server to allocate insufficient memory and perform an out‑of‑bounds write, leading to a segmentation fault.
Additionally, PostgreSQL 14 will officially reach EOL on November 12, 2026, and will no longer receive patch updates. The community strongly recommends that users with PG 14 in production environments formulate upgrade plans as early as possible and migrate to newer versions.
-
DBA Perspective: With PG 14 entering its EOL countdown, DBAs have five months to complete upgrade planning. Teams still running PG 14 in production must initiate upgrade assessments immediately. The risk of CVE-2026-6472 is particularly concerning – it involves privilege escalation and object hijacking. It is recommended to run pg_upgrade pre‑checks, focusing on extension module dependencies and the security of search_path configurations.
-
CTO Perspective: While the PG community maintains a high‑frequency security response cadence, the approaching EOL means the time to settle technical debt is near. It is recommended to include a dedicated six‑month upgrade plan in the technology roadmap, prioritise moving critical business off PG 14 or upgrading to 18.4/17.10, and assess the impact of upgrades on statistics and execution plan deviations.
-
Investor Perspective: The EOL of PG 14 will accelerate the pace of migration by cloud vendors and enterprise users to newer versions, driving more enterprises to purchase professional database migration support services. PG ecosystem toolchain companies and managed service providers will benefit from this commercialisation window created by the version transition.
03|cPanel Critical Root‑Level SQL Injection Vulnerability: sqloptimizer Can Execute Malicious SQL as Root
CVE-2026-29206, disclosed on May 14, was rated as critical by VulDB. The vulnerability exists in cPanel’s sqloptimizer utility script – when slow query logging is enabled, the script fails to properly sanitise and parameterise user‑supplied input, allowing an attacker to execute malicious SQL injection as root. Because sqloptimiser runs with root privileges, a successful attacker can gain privilege escalation within the database environment, leading to full system and data compromise. Slow query logging is typically enabled in production environments for performance monitoring, making the exposure surface of this vulnerability widespread across most database deployments.
-
DBA Perspective: The code implementation of the sqloptimizer tool serves as a textbook example of poor practice, once again reminding DBAs that every line of automation script in the operational toolchain must follow the principles of least privilege and parameterised queries. In the short term, check the version status of cPanel components on servers, confirm whether slow query logging is enabled, and apply patches or disable non‑essential slow query logging as soon as possible.
-
CTO Perspective: As a control panel for managed servers, cPanel represents a risk point in the supply chain that is easily overlooked due to its broad commercial deployment. In shared hosting and multi‑tenant environments, the damage radius of this vulnerability is dramatically amplified. Decision‑makers must include database management automation tools in the scope of regular security audits, not just focus on the database kernel itself.
-
Investor Perspective: The cPanel vulnerability demonstrates injection at root privilege, indicating that code quality compliance testing for server management toolchains has not yet become standardised. Security vendors providing automated solutions for security auditing and server control panel security are seeing new demand growth points.
04|ArcadeDB Authorisation Bypass Vulnerability Fixed: Authenticated Users Can Read/Write Any Database on the Server
CVE-2026-44221, disclosed on May 12, affects versions of ArcadeDB prior to 2.6.4. The vulnerability exposes two overlapping defects in ArcadeDB’s security subsystem: the database user object returned by ServerSecurityUser.getDatabaseUser() has an uninitialised fileAccessMap, causing requestAccessOnFile to treat access as fully granted; and ArcadeDBServer.createDatabase() omits the factory.setSecurity(…) call when creating a new database, silently disabling the entire record‑level authorisation system for the new database. When exploited together, any authenticated user can perform complete read, write, and structural changes on any database on the same server.
-
DBA Perspective: The ArcadeDB case once again exposes the blind spots in the security maturity of niche databases. Multi‑model databases are indeed becoming more popular in AI projects, but DBAs must take ultimate responsibility – at the project initiation stage, they must strictly review security policies, perform baseline permission testing, and prohibit the use of database components that have not been production‑level security‑validated. If ArcadeDB is already deployed, upgrade to 2.6.4 immediately and enforce strict interface controls on network access.
-
CTO Perspective: The frequency of security vulnerability disclosures in community open‑source databases is rising, and managing the diversity of the technology stack must be paired with security testing. When introducing non‑mainstream databases, security compliance red lines should be set in advance, including full validation of the authorisation framework, baseline penetration testing, fault‑tolerant circuit‑breaker escape plans, and dedicated personnel for specialised audits.
-
Investor Perspective: The security deficiency demonstrated by ArcadeDB once again ignites capital market attention on the AI database security compliance track. Risk points are extending from traditional databases to the peripheral ecosystem. Companies providing open‑source component security scanning and permission baseline validation services will continue to enjoy a sustained valuation premium in enterprise security procurement.
05|OceanBase V4.6.0 Released: Hybrid Search Capabilities Fully Upgraded, Creating a “RAG all in One” Solution
On April 28, OceanBase officially released version V4.6.0, continuing its “integrated” product evolution path and deepening multi‑modal convergence capabilities. V4.6.0 achieves multiple breakthroughs in the vector database field: introducing a native SQL hybrid search interface supporting vector, full‑text, and scalar multi‑modal fused queries; adding match phrase search and search indexes; redesigning the hybrid search execution framework to significantly optimise full‑text index query and build performance. At the same time, it improves HNSW index performance in incremental scenarios, extends IVF index support to tables without primary keys, and builds an end‑to‑end “RAG all in One” knowledge base solution with Document AI.
At the HTAP level, it implements intelligent routing and strong‑consistency reads for column store replicas, and adds automatic partition splitting for column store tables. Under high concurrency, replica table query performance has improved 14 times, and single‑thread memory allocation performance has improved 168%. Additionally, OceanBase ranked first in the May 2026 China Database Popularity Ranking on modb.pro with a score of 830.74, and released the seekdb M0 plugin to provide an “external memory hub” for the AI agent framework OpenClaw.
-
DBA Perspective: Integrated multi‑modal convergence has finally moved from PowerPoint to a usable product. DBAs should seize the opportunity to establish a baseline system for SQL execution and validate different workload isolation strategies during the POC phase of vector hybrid search scenarios. HNSW incremental performance and intelligent column store routing are key evaluation points. If preparing for “RAG all in One”, be sure to assess the performance upper limit of OceanBase’s native hybrid search.
-
CTO Perspective: With V4.6.0’s hybrid search and column store acceleration, OceanBase continues to build a high technical moat around integrated convergence. The strategy of integrating multi‑modal search, HTAP, and AI applications is accelerating. For CTOs, choosing OceanBase may mean that a full‑stack converged data architecture can significantly reduce the development complexity of integrating AI applications with the data foundation, but attention must also be paid to the accompanying hardware elastic management costs.
-
Investor Perspective: OceanBase maintains an integrated product iteration cadence. Its engineering leadership in integrated AI solutions will support its ability to convert orders in key industries such as finance and telecommunications both domestically and overseas. Its popularity ranking top spot and the implementation of “RAG all in One” will deepen partner ecosystem development. It is recommended to continuously track the commercial penetration of OceanBase’s AI‑intelligent foundation in AI application scenarios.
📅 This Week’s Industry Events and Database Landscape Updates (May 14–15)
| Date | Event | Core Highlights |
|---|---|---|
| May 12 | Dameng Data releases four strategic new products | DM9 “five‑in‑one” architecture fully evolved; graph database V4.0 deeply integrates multi‑agent collaboration framework and HyperRAG framework |
| May 12 | Vastbase announces private placement of up to RMB 702 million | RMB 489 million for next‑gen HTAP DB project, RMB 213 million for multi‑modal time‑series DB project |
| May 13 | MySQL 9.7.0 LTS generally available | First major release since 8.4; enterprise features (Hypergraph Optimizer, JSON Duality) to Community Edition; dynamic data masking and OpenID authentication added |
| May 14 | Alibaba Cloud RDS MySQL 8.4 officially launched | First LTS release; deeply integrates AliSQL kernel optimisations; provides smooth upgrade path and maintenance support for EOL’d 8.0 users |
| May 14 | PostgreSQL 18.4/17.10/16.14/15.18/14.23 released | Fixes 11 security vulnerabilities and 60+ bugs, including high‑risk CVEs; PG 14 end‑of‑life countdown begins |
| May 14 | cPanel CVE-2026-29206 critical vulnerability disclosed | sqloptimizer executes SQL injection as root; slow query logging enabled widens attack surface |
| May 14 | ArcadeDB CVE-2026-44221 vulnerability disclosed | Authenticated users can read/write any database on the same server; security maturity alarm for multi‑model databases |
| May 14 | CKAN data management system CVE-2026-42031 | Severe SQL injection in datastore_search_sql function |
| May 14 | CubeCart eCommerce CVE-2026-45054 | Time‑based blind injection to obtain admin password hash; deep impact on customer privacy |
| May 14 | BEAR WooCommerce Bulk Editor CVE-2026-45213 | Severe SQL injection vulnerability, may lead to complete server takeover |
| April 28 | OceanBase V4.6.0 officially released | Native SQL hybrid search interface; “RAG all in One” solution; replica table query performance improved 14x under high concurrency |
📌 Issue Summary
| News | Core Keywords | DBA Actions | CTO/Decision‑Maker Focus | Investor Perspective |
|---|---|---|---|---|
| Alibaba Cloud RDS MySQL 8.4 launches | First LTS, smooth upgrade, EOL coverage | Plan 8.0→8.4 upgrade window early; test AliSQL kernel enhancement benefits | Extend decision window; evaluate cloud vendor support period and mandatory upgrade deadline | Differentiated services lock in existing customers; sustained steady growth expected |
| PostgreSQL multi‑version security update | 11 CVEs, PG 14 EOL countdown | Upgrade to latest versions; audit search_path configuration security | EOL deadline approaching; need dedicated six‑month upgrade plan | PG ecosystem toolchains and managed service providers benefit from upgrade window |
| cPanel sqloptimizer vulnerability | Root‑level SQL injection, slow query log | Check cPanel version status; disable non‑essential slow query logging | Include database management tools in regular security audit scope | Demand grows for server management toolchain security testing services |
| ArcadeDB authorisation bypass | Multi‑model DB, full authorisation bypass | Upgrade to 2.6.4; ban non‑security‑validated components from production | Pair security testing and escape plans when introducing new tech stacks | Open‑source component security scanning sector continues to enjoy premium |
| OceanBase V4.6.0 release | Hybrid search, RAG all in One, replica table query ↑14x | Assess hybrid search performance upper limit and workload isolation strategies during POC | Integrated convergence architecture reduces AI dev complexity; need to manage hardware elastic costs | AI integration leadership supports order conversion in key industries |
HiddenMerit Team Production Slogan: 绩优隐于内,金石启新程 | Hidden deep. Merit bold. Forge ahead.
