📊 HiddenMerit Daily · Issue 22
Focus on Database Frontiers, Practical Insights for DBAs May 17, 2026 | 5 Selected Global Breaking News
01|May 2026 China Database Popularity Ranking: OceanBase, Dameng Surpass 800 Points, Top Ten Remains Unchanged
The May 2026 China Database Popularity Ranking was recently released. This month, the top ten positions saw zero changes, but key metrics continued to rise – OceanBase maintained the top spot with 830.74 points. The moats of leading vendors in critical industry applications are becoming more solid, and domestic database competition has officially moved from the “land‑grab phase” into the second half – “deep cultivation of existing markets.”
In the AI direction, leading products are moving from “external adaptation” to “kernel co‑existence.” OceanBase released the seekdb M0 plugin, creating an “external memory hub” for the AI agent framework OpenClaw through hybrid retrieval and zero‑overhead compression. This completely solves the pain point of large models “losing memory on power‑off,” giving AI a production‑grade persistent memory layer. Dameng DM9, with its “centralised + distributed + TP + AP + AI” five‑in‑one architecture, integrates “design agents” and “operations agents,” moving databases from “passive response” to “self‑design and self‑healing.” Kingbase (Kingware) remains firmly in third place, continuing to deepen its presence in the telecommunications and provident fund industries.
· DBA Perspective: “Zero change in rankings” is a sign of market maturity, but it also means that the ecosystem barriers of leading products are solidifying. However, the differentiated penetration of AI capabilities is reshaping the core competitiveness of DBAs – OceanBase provides persistent memory for AI agents, Dameng embeds AI directly into the database kernel, and Kingware enhances support for AI environments in industry applications. DBAs can no longer stay in the comfort zone of SQL tuning and index maintenance. From the trend, domestic database competition has officially entered the second half of “deep cultivation,” which for DBAs means: the moats of leading vendors are widening, the “cost of correcting a wrong tech‑stack choice” will keep rising. It is recommended that DBAs deeply cultivate at least one leading product in their personal skill tree while maintaining sensitivity to AI integration capabilities.
02|PostgreSQL Releases Full‑Version Security Update: 11 CVEs Fixed, PG 14 End‑of‑Life Countdown Officially Starts
On May 14, the PostgreSQL Global Development Group released patch updates for versions 18.4, 17.10, 16.14, 15.18, and 14.23, fixing a total of 11 security vulnerabilities and over 60 bugs, with four high‑severity vulnerabilities (CVSS 8.8) attracting particular attention.
Among the high‑severity vulnerabilities: CVE-2026-6473 (integer overflow) can cause the server to allocate insufficient memory, leading to out‑of‑bounds write, segmentation fault, or arbitrary code execution; CVE-2026-6475 affects pg_basebackup and pg_rewind through symbolic link path traversal, allowing a malicious source to overwrite arbitrary local system files. There is an SQL injection in pg_createsubscriber (CVE-2026-6476, CVSS 7.2), where a user with pg_create_subscription privilege can execute superuser SQL; MD5 password hashes suffer from a timing side‑channel attack (CVE-2026-6478, CVSS 6.5) – although SCRAM-SHA-256 is not affected, instances upgraded from PG 13 or earlier may still have residual MD5 hashed passwords. CREATE TYPE’s missing permission check for multirange schemas (CVE-2026-6472, CVSS 5.4) can be used for search_path hijacking attacks.
Additionally, PostgreSQL 14 will officially reach EOL on November 12, 2026, and will no longer receive security fixes – less than six months remain.
· DBA Perspective: This is the most important security update for PostgreSQL this year. The symbolic link path traversal in pg_basebackup should not be underestimated – if the backup source is untrusted, an attacker could even overwrite system‑level files, directly threatening the integrity of the database backup chain. Moreover, the MD5 password timing side‑channel vulnerability reminds DBAs: be sure to check aging instances that still use MD5 authentication in production, especially systems upgraded from versions prior to PG 13. The pg_createsubscriber injection vulnerability warns DBAs that even official management tools are not immune to input validation issues – roles with pg_create_subscription privileges must be strictly controlled. Meanwhile, with PG 14 less than six months from EOL, DBAs still running PG 14 must complete upgrade planning before Q3, prioritising migration to 18.4 or 17.10.
03|Alibaba Cloud RDS MySQL 8.4 Officially Launched: First LTS Release with Deep AliSQL Kernel Optimisations
On May 14, Alibaba Cloud officially launched RDS MySQL 8.4 – the first LTS long‑term support release of the MySQL Community Edition since 8.0. Compared to 8.0, it offers a longer lifecycle and higher stability, while deeply integrating years of production‑level optimisations from the AliSQL kernel. New features include automatic histogram updates to make the optimiser “smarter,” as well as key production‑facing enhancements such as second‑level column changes, large transaction governance, and replication latency optimisation.
Alibaba Cloud RDS also introduced a differentiated support strategy: it commits to continued kernel‑level maintenance for existing RDS MySQL 8.0 instances, including security vulnerability fixes, critical bug fixes, and stability enhancements. Users do not need to rush upgrades and can plan a smooth 8.0→8.4 evolution according to their business rhythm. One‑click smooth upgrade capability from RDS 8.0 to 8.4 is under development.
· DBA Perspective: Alibaba Cloud’s package relieves the anxiety of operations teams still worried about MySQL 8.0. The cloud vendor’s “EOL coverage” strategy greatly reduces the production risk of rushed upgrades. But for DBAs, this is only a buffer window, not a permanent safe haven – it is recommended to determine an upgrade schedule as early as possible in operational planning, verify the actual performance benefits of AliSQL kernel enhancements in the 8.4 environment during testing, and avoid a last‑minute scramble after the 8.0 maintenance window closes. In addition, new features such as automatic histogram updates in version 8.4 will directly affect optimiser path selection, requiring DBAs to re‑examine their existing SQL execution plan baselines. · CTO Perspective: Alibaba Cloud’s “no anxiety over EOL” strategy is very attractive for reducing decision risk for MySQL users. For enterprises that have not yet completed 8.0 migration, this is an effective buffer to extend the decision window. At the same time, attention should be paid to the buffer bandwidth between the cloud vendor’s extended support period and the subsequent mandatory upgrade deadline, with adequate budget for a Plan B.
04|Open Source MySQL Ecosystem Updates: Ceph and Redis Drop MySQL Components, Dify Releases v1.10.1
The distributed storage system Ceph released its latest architecture guide for 2026, adopting RocksDB in the BlueStore storage engine to replace MySQL components for better performance and stability. Redis, in its Q2 2026 architecture decision report, confirmed it will continue using its built‑in SQLite module for some metadata indexing and explicitly stated no reliance on MySQL.
On the ecosystem tool front, Dify v1.10.1 was officially released, adding full MySQL support and achieving multi‑database adaptation for PostgreSQL/MySQL/OceanBase. It also optimises workflow editor performance – measured editor response speed improved by 3 times, node processing capacity increased from 50 to 200, and many core functionality defects were fixed.
· DBA Perspective: Ceph dropping MySQL components is not a denial of MySQL’s technical value, but rather a choice of a better storage engine for specific scenarios. This reminds DBAs not to mechanically apply the “one database fits all” mindset, but to evaluate the most suitable data storage solution according to the scenario. On the other hand, Dify’s full adaptation to MySQL and OceanBase indicates that the open‑source ecosystem is becoming more inclusive of domestic databases. When domestic databases can seamlessly integrate into mainstream open‑source workflow platforms, DBAs will have significantly more options in mixed technology stack environments. · CTO Perspective: Ceph’s architecture evolution once again confirms that core system design must adhere to the rational principle of “scenario‑driven, component‑fit,” rather than blindly pursuing technology uniformity. Dify’s multi‑database adaptation provides a reference implementation path for cross‑technology‑stack data platform integration.
05|AI Open Source Supply Chain Trust Crisis: LiteLLM Pre‑Auth SQL Injection, Pwn2Own Breached on First Day
The pre‑authentication SQL injection vulnerability in LiteLLM (CVE-2026-42208, CVSS 9.3) has continued to escalate. The vulnerability exists in the open‑source AI gateway LiteLLM developed by BerriAI – during API key validation, the user‑supplied Authorization Header value is directly substituted into SQL queries. An unauthenticated attacker can read or modify database content. CISA has added it to its Known Exploited Vulnerabilities Catalog (KEV). Previously, attackers used stolen CI/CD credentials to publish malicious versions to the PyPI repository, exposing thousands of enterprises to cloud credential leaks and intranet infiltration. The attack chain exhibits a cascading infiltration pattern of “upstream tool → core component → downstream application.”
On the first day of Pwn2Own Berlin 2026 in mid‑May, security researchers successfully used three vulnerabilities to disable LiteLLM and also breached Windows 11 and Edge among other targets. A total of 24 zero‑day vulnerabilities were discovered on that day, with total prize money of $523,000.
· DBA Perspective: AI gateways aggregate all of an enterprise’s LLM API keys, making them “high‑value targets” in the data infrastructure. The core issue of CVE-2026-42208 – directly splicing user input into SQL queries – is a classic SQL injection mistake, now replicated at scale in AI infrastructure. DBAs must work with security teams to include AI middleware in regular security audits, strictly enforce the principle of least privilege for connection configurations, and ensure that AI gateways are grounded on read‑only segregated databases, not touching production storage directly. · CTO Perspective: The LiteLLM incident and its successful breach at Pwn2Own sound another alarm – AI middleware is becoming the weakest link in the security chain. Attackers bypass traditional defences and strike high‑value nodes in the AI technology stack, such as model gateways and inference frameworks, turning single‑point breaches into cascading trust‑chain infiltration. Enterprises must include AI gateways in regular penetration testing and red‑team exercises. · Investor Perspective: CISA adding LiteLLM to its KEV catalog marks that the security of AI infrastructure has risen from a “technical community matter” to a “systemic risk” at the regulatory level. Startups focused on AI traffic auditing, API key lifecycle management, and open‑source component supply chain security will continue to enjoy sustained market valuation premiums.
📅 This Week’s Database Hot Topics Recap
Date Event Core Highlights May 13 Tencent Cloud DatabaseClaw in‑depth reveal Four layers of security depth for AI agents; DB O&M moves from “usable” to “trustworthy” May 14 Alibaba Cloud RDS MySQL 8.4 GA First LTS release, deep AliSQL kernel optimisation May 14 PostgreSQL 18.4 and other updates released 11 security vulnerabilities fixed; PG 14 EOL countdown starts May 14‑15 Pwn2Own Berlin 2026 Day 1 LiteLLM breached; 3 zero‑days used to disable it May 15 Dify v1.10.1 released MySQL ecosystem integration; multi‑database adaptation fully upgraded Mid‑May May 2026 China Database Popularity Ranking OceanBase, Dameng exceed 800 points; top ten unchanged Mid‑late May Oracle Database@AWS adds Tokyo region Cross‑cloud deployment expands; Toronto and Sydney coming soon May 29 Tencent Cloud “Database + AI” product launch Debut of six core engines; AI‑In‑Database roadmap culminates
📌 Issue Summary
News Core Keywords DBA Actions CTO/Decision‑Maker Focus Investor Perspective May 2026 China DB popularity ranking OceanBase/Dameng break 800, AI kernel co‑existence, deep cultivation Deepen skills in leading products; build AI integration awareness early Ecosystem moats of leading vendors solidifying; selection cost differentiation intensifies Competition enters “deep cultivation”; valuation moats of top vendors widen PostgreSQL security update 11 CVEs, PG 14 EOL, pg_basebackup path traversal Upgrade to 18.4/17.10; eliminate MD5 auth; complete PG 14 migration within 6 months Establish regular version management; proactively plan upgrade windows PG ecosystem remains responsive; professional O&M services see concentrated demand Alibaba Cloud RDS MySQL 8.4 GA First LTS, AliSQL kernel, EOL coverage Plan 8.0→8.4 upgrade window; rehearse execution plan baselines on new version Extend EOL decision window; assess long‑term tech dependency risks Differentiated services lock in existing customers; sustain cloud revenue growth Open source MySQL ecosystem updates Ceph drops MySQL components, Dify multi‑DB adaptation Evaluate storage solutions by scenario; research cross‑DB API unification for calls Diversified data foundation selection must be scenario‑driven Open‑source ecosystem’s compatibility with domestic DBs opens new collaboration space AI supply chain security LiteLLM injection, CISA KEV, Pwn2Own breach Audit AI middleware security configs; enforce least‑privilege isolation Include AI gateways in regular red‑team penetration exercises AI security sector becomes investment hotspot; regulatory pressure intensifies
HiddenMerit Team Production Slogan: 绩优隐于内,金石启新程 | Hidden deep. Merit bold. Forge ahead.
