📊 HiddenMerit Daily · Issue 21
Focus on Database Frontiers, Practical Insights for DBAs May 16, 2026 | 5 Selected Global Breaking News
01|Oracle Database@AWS Now GA: Launches in Tokyo and Oregon, Toronto and Sydney Coming Soon
Oracle and AWS jointly announced that Oracle Database@AWS 23ai has reached General Availability (GA) in the US East (Northern Virginia, April 2026) and US West (Oregon) regions, with the Tokyo region added in May. Upcoming regions include Canada (Toronto) and Australia (Sydney).
Oracle Database@AWS runs on OCI hardware inside AWS data centres, offering Oracle Exadata Dedicated Infrastructure database service and Oracle Autonomous Database service. The service is deeply integrated with Amazon EC2, EKS, and ECS, supporting core AI features of Oracle 23ai such as AI vector search, embedded machine learning, natural language query (NLQ), and automatic index optimisation, enabling unified governance of structured and unstructured data.
· DBA Perspective: The deep collaboration between Oracle and AWS – long‑time rivals – sends a clear signal: “Multi‑cloud is no longer an option, it is a necessity.” In the past, DBAs were forced to choose sides between cloud vendors and Oracle; now they can deploy Oracle directly from the AWS console, with low‑latency direct connectivity over the AWS backbone solving the performance pain points of cross‑cloud calls. However, note that with cross‑platform deployment, DBAs must juggle two management systems – AWS (compute layer) and OCI (data layer) – which demands hybrid operations skills and federated governance capabilities in multi‑cloud environments. · CTO Perspective: Oracle placing its core database software stack inside its “rival” AWS data centres is an admission that single‑cloud lock‑in is over. For CIOs/CTOs, multi‑cloud strategy finally has a compliance option that makes Oracle a first‑class citizen – they can leverage Oracle’s extreme transaction processing capabilities directly within the AWS application ecosystem, without endlessly weighing “migration cost” against “technology choice.” · Investor Perspective: The GA of Oracle Database@AWS marks Oracle’s accelerated shift from “heavy‑asset on‑premises” to “lightweight cross‑cloud platform.” If the service achieves large‑scale enterprise adoption, it will significantly increase Oracle’s SaaS/PaaS cloud revenue share. At the same time, AWS fills a gap in its own product matrix for high‑end databases, creating a win‑win competitive‑cooperative dynamic.
Source: Oracle/AWS Announcement & CSDN Blog
02|PostgreSQL Emergency Security Update: 11 CVEs Fixed, pg_createsubscriber and CREATE TYPE High‑Risk Flaws Exposed
On May 14, the PostgreSQL Global Development Group released security updates for versions 18.4, 17.10, 16.14, 15.18, and 14.23, fixing a total of 11 CVE security vulnerabilities. Two high‑risk vulnerabilities deserve special attention:
· CVE-2026-6472 (CVSS score unknown but marked as high risk): Missing privilege check when creating multirange schemas in CREATE TYPE. Attackers can hijack queries that depend on search_path, using CREATE OR REPLACE FUNCTION to inject malicious functions, then execute arbitrary SQL with higher privileges in the victim’s session context. Temporary mitigation: revoke CREATE TYPE privileges from non‑admin roles. · CVE-2026-6473 (CVSS score unknown but marked as high risk): Integer wraparound leads to insufficient memory allocation, causing out‑of‑bounds write and segmentation fault. All versions 14‑18 are affected. · pg_createsubscriber SQL injection: In versions 17 and 18, the pg_createsubscriber tool does not properly sanitise subscriber names. An attacker with pg_create_subscription privileges can run arbitrary SQL as a superuser the next time the tool is executed.
Debian has released corresponding security updates DSA 6269-1 and 6270-1. Additionally, the fixes include an SQL injection vector in replication tools and a time‑side‑channel leak that could expose MD5 passwords.
· DBA Perspective: The SQL injection in pg_createsubscriber, which runs with superuser privileges, is the most easily overlooked but most deadly point in this news. Many DBAs habitually assume “management tools are safe by default,” but this vulnerability proves that even official tools are not immune to input validation flaws. DBAs should immediately review the usage scenarios of pg_createsubscriber, suspend any automated O&M scripts that rely on this tool before upgrading, and perform strict access control audits on roles that have pg_create_subscription privileges. · CTO Perspective: While the PostgreSQL community maintains high‑quality, fast‑response releases, the search_path‑dependent attack of CVE-2026-6472 reminds CTOs that sensitive queries must explicitly lock the schema search path – setting search_path to a trusted fixed value and revoking CREATE privileges from PUBLIC can effectively mitigate such “search_path hijacking” vulnerabilities. It is recommended to upgrade production environments to the latest patched versions as soon as possible, while setting up non‑production compatibility verification. · Investor Perspective: The PostgreSQL community’s high‑frequency patching cadence amid the AI boom is a plus for its ecosystem stability and sustained iteration capability – a positive for capital markets. Enterprises providing professional migration, optimisation, and managed services around the PG ecosystem will see their business valuation rise accordingly. At the same time, frequent disclosure of high‑risk vulnerabilities will push enterprise paying customers to procure professional security operations services.
Source: PostgreSQL Global Development Group & Debian Security
03|PostgreSQL 14 Officially EOL: Security Updates Stop July 1, Final Version 14.23 Released
PostgreSQL 14 will officially cease all support and security updates on July 1, 2026, with the final version being 14.23 (released May 14). The Debian project has simultaneously announced that PostgreSQL 14 packages will be removed from the upcoming Debian 14 “Forky” release.
PostgreSQL 14 was released in September 2021, introducing key features such as parallel index creation, native partition performance improvements, and inline stored procedures – it remains an important version still in use by many enterprises. PG 15 support ends on November 11, 2027, PG 16 on November 9, 2028, while the recommended LTS version is PG 18 (supported until May 2031).
· DBA Perspective: PG 14 is only 46 days away from end‑of‑life on July 1 – the countdown alarm has sounded. The only correct action for DBAs now is to immediately initiate upgrade assessments, prioritise upgrading to 18.4 or 17.10, use pg_upgrade for pre‑checks, and address all postgresql.conf parameter differences and extension compatibility issues before the test window. · CTO Perspective: Technical management must make this EOL a Q3 priority, avoiding security compliance risks caused by accumulated technical debt. PG 14’s EOL, combined with the stabilisation of PG 18 LTS, creates a clear upgrade window. It is recommended to develop an 8‑week, phased upgrade implementation plan. · Investor Perspective: Version EOL is a double‑edged sword – it may cause short‑term customer churn anxiety, but it also creates a concentrated release window for professional database migration and upgrade services. The Q3‑Q4 performance growth of specialised database service providers deserves attention.
Source: Debian PostgreSQL 14 Removal Announcement
04|Dameng Accelerates ASEAN Xinchuang Expansion: First Stop in Indonesia Leads Domestic Database Globalisation
Dameng recently showcased four strategic new products, including DM9, in Southeast Asia, replicating its domestic Xinchuang database success in the ASEAN market, with its first stop in Indonesia. This marks a shift from “capital going global” to “technology standards going global” for domestic databases.
DM9 adopts a “centralised + distributed + TP + AP + AI” five‑in‑one architecture – centralised and distributed integration breaks the selection dilemma; TP and AP integration eliminates ETL overhead; database and AI integration natively supports vector search; software and hardware integration deeply adapts to domestic chips such as Phytium, Kunpeng, and Hygon. Dameng Qiyun Database V4.0 simultaneously released a cloud‑native database service with an integrated AI O&M engine, supporting unified deployment across multi‑cloud/hybrid cloud environments.
· DBA Perspective: The global expansion of domestic databases is opening a new career frontier – DBAs with experience tuning Dameng DM9’s five‑in‑one architecture will not only remain highly competitive in domestic finance and telecom replacement projects but may also serve as technical leads in new infrastructure projects in ASEAN. It is recommended to develop cross‑cultural communication skills for multi‑cloud migrations and pay attention to character set support and multi‑language report optimisation for DM9 in non‑Chinese environments. · CTO Perspective: The deeper signal of Dameng’s overseas expansion is that the industrial maturity of domestic databases has reached a level where they can be exported to emerging markets. Southeast Asia’s legacy systems, which traditionally rely on Oracle and SQL Server, are due for an upgrade, and DM9’s “full‑scenario coverage” technical approach is likely to appeal to cost‑sensitive local customers. For CTOs, Dameng’s going global will also accelerate product refinement and global delivery capabilities. · Investor Perspective: Dameng’s entry into the Indonesian market is a landmark event for domestic databases “going out.” Success overseas would directly open up a valuation space several times larger than the domestic market, but close attention must be paid to the progress of localisation compliance costs, ecosystem partner development, and the establishment of a global service support system.
Source: Dameng ASEAN Expansion Strategy Disclosure
05|OceanBase Open Source Global Impact Soars: GitHub C++ Top 30, Trending on HackerNews
On May 15, OceanBase exceeded 2,400 stars on GitHub. In the global ranking of C++ open‑source projects on GitHub, OceanBase broke into the global top 30, becoming the first domestic database project to achieve this. Additionally, OceanBase’s influence in international tech communities continues to rise, ranking in the top 4 on the HackerNews Trending list for a full week.
OceanBase’s open‑source community receives over 120 PRs and 300+ issue interactions per week. Since open‑sourcing 3 million lines of core code last November, the community has surpassed 500 contributors, and more than 20 enterprises have deployed the Community Edition in production. A popular HackerNews discussion thread on “Why OceanBase can replace Oracle in high‑end financial scenarios” received over 800 technical upvotes.
· DBA Perspective: The high activity level of the OceanBase open‑source community provides DBAs with an excellent learning and advancement opportunity to “let code speak.” DBAs are advised to follow the technical debates among experienced developers on HackerNews and study OceanBase’s design choices in Paxos protocol engineering and distributed HTAP scheduling. · CTO Perspective: OceanBase’s sustained presence at the top of overseas tech community rankings indicates that its technical strength is gradually gaining professional recognition from the global developer community, which will significantly reduce trust costs for overseas enterprises during technology selection. CTOs considering a smooth technology stack evolution can use the code quality of OceanBase’s Community Edition as a litmus test for distributed database core capabilities. · Investor Perspective: The surging reputation of domestic databases in core global developer communities such as GitHub and HackerNews is a highly valuable intangible brand asset. For primary market investors, the growth rate of open‑source community contributors and the “volume” of discussion among global technical experts can be leading indicators of a technology product’s long‑term vitality, even more so than traditional sales channel data.
Source: OceanBase GitHub Data Disclosure
📅 Today’s Database Landscape Recap
Category Event Core Highlights Multi‑cloud Deployment Oracle Database@AWS GA, Tokyo region added Deep integration of AWS and OCI; AI vector search + embedded ML Security Update PostgreSQL releases 5 version updates (18.4, etc.) Fixes 11 CVEs; pg_createsubscriber SQL injection critical flaw Version EOL PostgreSQL 14 announced EOL on July 1 Only 46 days remaining; final version 14.23 released Domestic Going Global Dameng debuts DM9 in Indonesia as first stop Five‑in‑one architecture launches globalisation of domestic databases Open Source Impact OceanBase enters GitHub C++ global top 30 Trending on HackerNews for a week; stars exceed 2,400 Mature Competition Domestic database competition enters “deep cultivation” phase Top 10 positions unchanged in May popularity ranking; moats of leading vendors are solidifying Capital Movement Vastbase plans private placement up to RMB 702M RMB 489M for HTAP, RMB 213M for multi‑modal time‑series database
📌 Issue Summary
News Core Keywords DBA Actions CTO/Decision‑Maker Focus Investor Perspective Oracle Database@AWS GA Cross‑cloud deployment, AI vector search, OCI+AWS integration Build multi‑cloud joint operations skills; master coordinated monitoring of OCI and AWS systems Multi‑cloud strategy gains compliance option; use Oracle capabilities directly in AWS ecosystem Multi‑cloud transition accelerates SaaS/PaaS revenue share; AWS fills high‑end DB product gap PostgreSQL security update 11 CVEs, pg_createsubscriber injection, CREATE TYPE hijack Upgrade immediately; review pg_createsubscriber usage; pause automation scripts relying on it Set search_path to trusted fixed value; revoke PUBLIC CREATE privileges; complete PG 14 upgrade by Q3 PG ecosystem remains responsive; professional security operations services market expands PostgreSQL 14 EOL July 1 end of support, final version 14.23 46‑day countdown; start upgrade assessment; prioritise 18.4/17.10; pre‑check extension compatibility Make EOL a Q3 priority; develop 8‑week phased upgrade plan Professional migration services see concentrated demand release; Q3‑Q4 performance of service providers worth watching Dameng expands to Indonesia Xinchuang globalisation, five‑in‑one architecture, tech standards going global Master DM9 five‑in‑one tuning experience; focus on multi‑language reporting in non‑Chinese environments Domestic DB industry maturity now supports export; cost advantage in overseas new infrastructure projects Going global opens up valuation space several times larger; track local compliance, ecosystem, and global service system OceanBase open source surge GitHub C++ top 30, HackerNews trending, 500+ contributors Follow HackerNews debates; study Paxos implementation and distributed HTAP scheduling design Overseas developer recognition lowers trust cost for enterprise selection Community reputation is key intangible asset; contributor growth is a leading indicator of long‑term product vitality
HiddenMerit Team Production Slogan: 绩优隐于内,金石启新程 | Hidden deep. Merit bold. Forge ahead.
