# 📊 HiddenMerit Daily · Issue 25
> **Focus on Database Frontiers, Practical Insights for DBAs**
> May 20, 2026 | 5 Selected Global Breaking News
## 01|PICC Technology Procures Three Domestic Databases in Bulk, Financial Xinchuang Moves from “Pilot” to “Standard” Era
On May 18, PICC Technology announced the winning results of its 2025‑2026 Database Related Basic Software Original Factory Standard Service and Expansion Procurement Project (Package 2: Database Software Original Factory Standard Service), covering original factory standard services for **GaussDB, OceanBase, and Dameng databases**. The procurement method was competitive negotiation.
This is the second time in a short period that PICC Technology has introduced domestic databases at scale. In the previous 2025‑2026 Database Related Basic Software Maintenance Service Procurement (Package 1), it had already procured original factory services from three domestic databases. As a leading institution in the insurance industry, PICC Technology’s continuous inclusion of domestic databases in its original factory standard service scope indicates that the insurance industry’s Xinchuang transformation has completed multi‑vendor adaptation and technical reserves, and the procurement model has formally shifted from “single‑point pilot” to “regular expansion procurement.”
- **DBA Perspective**: A major insurer procuring three domestic databases in bulk sends a **clear signal that demand for domestic database O&M talent will concentrate in the insurance industry**. When planning their career paths, DBAs should aim to deeply master deep O&M and performance tuning skills for at least one of GaussDB, OceanBase, or Dameng, while also tracking job growth from Xinchuang replacement in the insurance sector. At the same time, the ability to uniformly operate and migrate across multiple database brands will become a core soft skill.
- **CTO Perspective**: PICC Technology including three domestic databases in a single procurement package shows that the technology decision‑making layer has moved from single‑product lock‑in to open selection. This marks the maturity of the financial Xinchuang 2.0 phase – enterprises no longer need to “bet on a single vendor” when choosing replacement solutions, but can flexibly combine multiple domestic databases according to business scenarios. When planning core system architecture, CTOs should establish mechanisms for compatibility adaptation and technical reserves for multiple database brands in advance.
- **Investor Perspective**: The insurance industry, as a benchmark sector in the Xinchuang 2.0 phase, adopting three‑brand mixed procurement significantly deepens the competitive landscape for domestic database vendors. The three winning vendors can use this benchmark case to accumulate positive feedback for cross‑industry Xinchuang expansion and gradually increase their market share. Notably, the salary of DBAs with domestic database O&M skills is already 15%‑25% higher than that of Oracle DBAs with equivalent experience – this talent market premium is a leading indicator for the penetration rate of domestic replacement.
Source: PICC Technology Procurement Announcement
## 02|Dameng Launches DM9 and Dameng PAI in Hong Kong, Accelerating Global “Technology Export”
On May 15, Dameng Data held its 2026 new product launch in Hong Kong, officially unveiling the **DM9 database management system** and the next‑generation **Dameng PAI all‑in‑one machine**. By choosing Hong Kong as a hub, the launch aimed to build a bridge for China’s independent database technology to engage with the world, driving domestic foundational software from “technology breakthrough” to “going global.”
DM9, as Dameng’s next‑generation domestic database management system, features comprehensive upgrades in architecture, performance, and intelligent O&M. The Dameng PAI all‑in‑one machine follows a “software‑hardware synergy” concept, delivering integrated deployment for high‑grade industry core systems. Earlier in late April, Dameng had already released four new products at the 2026 China Database Technology and Industry Conference: DM9, GDMBASE V4.0, DAMENG PAI V2.0 all‑in‑one, and Qiyun Database V4.0, covering centralised, distributed, cloud‑native, and graph database scenarios. By mid‑May, Dameng brought its core products to Hong Kong to showcase its technical strength to the Asia‑Pacific and global markets.
On May 19, Dameng Data signed a strategic cooperation agreement with Beijing Hangxing Yongzhi Technology Co., Ltd. at the Dameng China Database Industry Base, focusing on key areas such as government affairs, state‑owned enterprises, and archive personnel management to create benchmark industry solutions.
- **DBA Perspective**: Dameng’s choice of Hong Kong as an international springboard means that top domestic DBAs have the opportunity to participate in the **core construction of global technology export**. Practitioners with O&M experience in DM9 can see their skills’ “marketability” expand from the domestic Xinchuang market to overseas critical systems. For DBAs, this extends career boundaries – mastering domestic database tuning is not only useful in domestic Xinchuang projects but also makes you a key technical contributor in overseas projects.
- **CTO Perspective**: The trend of domestic databases moving from “replacements” to “definers” is accelerating. DM9 has already been rapidly deployed in critical industries both at home and abroad. If your enterprise has international business needs, Dameng’s global expansion adds a **global standard reference** for multi‑technology‑stack selection. CTOs can begin to evaluate Dameng alongside international products like Oracle and AWS Aurora under the same lens.
- **Investor Perspective**: Dameng showcasing its global strategy from Hong Kong is a precise **brand elevation** – in the capital market, the ability to go global directly corresponds to a higher valuation ceiling. Signing with Hangxing Yongzhi the day after the launch further validates Dameng’s ecosystem penetration capability in key domestic areas such as government affairs and archives, worth continuous attention.
Source: Dameng Data 2026 Hong Kong New Product Launch Disclosure & Strategic Cooperation Announcement
## 03|OceanBase Releases OCP 4.4.2-CE: Primary‑Standby Strong Sync Adaptation, Monitoring and Alerting Significantly Enhanced
On May 18, OceanBase Cloud Platform (OCP) 4.4.2-CE was officially released. This upgrade fully adapts the **primary‑standby strong‑sync mode** and significantly improves monitoring and alerting functions, covering the entire process from cluster configuration and performance diagnosis to automatic failover. OCP Community Edition enables enterprises to stop relying on custom measurement systems and use production‑grade toolchains to support high‑availability O&M of distributed databases.
OceanBase has also been continuously investing in the AI direction. Version V4.6.0, released on April 28, introduced a native SQL hybrid search interface supporting vector, full‑text, and scalar multi‑modal fused queries, and released the seekdb M0 plugin to create an “external memory hub” for the AI agent framework OpenClaw. OceanBase CEO Yang Bing, at the 2026 China Economic Annual Observation Conference on May 9, explicitly stated: **Whether unstructured data can truly be processed online in real time is the biggest need for databases in the AI era.**
- **DBA Perspective**: OCP’s monitoring, alerting, and primary‑standby strong‑sync adaptation directly address the production‑level pain points DBAs care about most: reduction in fault detection time and observability of failover. DBAs are evolving from a traditional “passive O&M” role into **“intelligent O&M designers”** who achieve proactive health inspections and fault prediction through the OCP toolchain. At the same time, as OceanBase doubles down on multi‑modal convergence, DBAs are transforming from single‑purpose SQL optimisers into versatile professionals skilled in mixed‑load tuning, vector query performance governance, and ecosystem toolchain construction.
- **CTO Perspective**: OCP 4.4.2-CE improves the community delivery completeness of **financial‑grade disaster recovery**, significantly reducing the repetitive development cost of O&M systems for organisations with limited database teams. The strategic push for multi‑modal convergence also provides CTOs with a more agile AI‑native foundation option. OceanBase CEO’s assessment of databases in the AI era further reinforces the strategic direction of “database as AI foundation,” worth deep consideration by data architecture decision‑makers.
- **Investor Perspective**: The iteration speed of OCP community versions confirms OceanBase’s commitment to **open‑source ecosystem governance**, which will continue to feed back into its enterprise edition orders. Investors can use code iteration speed, community contributor activity, and growth in production‑grade community use cases as leading indicators to observe OceanBase’s commercialisation progress.
Source: OceanBase OCP 4.4.2-CE Release Announcement & OceanBase CEO Public Remarks
## 04|MariaDB to Open Source Its Data Lake Engine, Aiming for New Blue Ocean in AI Workloads
According to foreign media reports in mid‑May, open‑source database company MariaDB plans to open source its proprietary data lake engine, which was previously only available to enterprise customers. This open‑source initiative aims to increase its market penetration in AI workloads and attract more developers into its ecosystem. MariaDB had already strengthened its real‑time processing capabilities in 2025 by acquiring the in‑memory real‑time data platform GridGain, and the newly acquired distributed SQL technology is gradually being integrated into the core product roadmap. Market analysts believe that this open‑source move is an important strategic step for MariaDB to respond to external competition and deepen community engagement.
- **DBA Perspective**: Open‑sourcing the data lake engine means DBAs will have access to more unified and simplified data integration solutions. Facing AI‑driven challenges with semi‑structured and unstructured data, bringing data lake capabilities down to the open‑source community is expected to reduce management and query costs for large data volumes. DBAs should pay close attention to the technical architecture of MariaDB’s data lake engine and evaluate its suitability for AI workload scenarios.
- **CTO Perspective**: MariaDB open‑sourcing its data lake engine is aimed at gaining greater ecosystem influence in the data lake and AI workload space. For CTOs considering deploying open‑source data stacks for AI scenarios, this move adds a flexible reference for technology selection. It is recommended to monitor the actual functionality and community adoption of the open‑source version, especially its performance in vector search and real‑time analytics.
- **Investor Perspective**: Moving from closed‑source to open‑source has always been one of MariaDB’s main commercialisation paths. This open‑sourcing is expected to expand user reach and attract more developers to use its core technology. The commercial conversion effect after open‑sourcing needs continuous tracking.
Source: Foreign media reports on MariaDB data lake engine open‑source plan
## 05|Intensive Security Vulnerability Outbreak: SQL Injection in MariaDB Connector/C and Multiple CVEs Disclosed
Around May 19, several database‑related security vulnerabilities were intensively disclosed. An **SQL injection vulnerability exists in MariaDB Connector/C** (SB2026051914). When using the big5 character set to escape unvalidated user input via the text protocol, the `mysql_real_escape_string()` function fails to properly handle special characters, allowing a remote attacker to execute SQL injection. Additionally, CVE-2026-42097 involves a critical authentication bypass vulnerability in Pro Cloud Server, where an unauthenticated attacker can directly execute arbitrary SQL queries against the underlying database.
Other vulnerabilities disclosed during the same period include: SQL injection in the EventRepository component of the BillaBear platform (CVE-2026-31069); SQL injection in a CMS plugin (CVE-2026-8726); and an SQL injection in the `addUserInAcls` endpoint of SOGo 5.12.7 (CVE-2026-8851). Severe vulnerabilities such as CVE-2026-6888 and CVE-2026-43685 were also disclosed in the previous week.
It is worth noting that the ArcadeDB full authorisation bypass vulnerability (CVE-2026-44221, affecting versions before 2.6.4), disclosed on May 12, once again sounded an alarm for the security maturity of multi‑model databases.
- **DBA Perspective**: The vulnerability in MariaDB Connector/C once again confirms that even mature database connectors can have security blind spots in character set processing and input escaping. The expanding attack surface reminds DBAs not to focus only on the database kernel, but also to include connectors, client libraries, and middleware in security audits. DBAs are advised to work with security teams to assess the versions and configurations of database connectors used in production environments, and to review all applications that use the big5 character set.
- **CTO Perspective**: The intensive disclosure of multiple database‑related CVEs in one week, including core issues such as authentication bypass and SQL injection, reflects that security validation of the data infrastructure supply chain still has shortcomings. It is recommended that technology management establish a **full‑chain security scanning mechanism for “database + connector + client”** and incorporate fixes for critical CVEs into quarterly security baseline gates.
- **Investor Perspective**: Security risks in the data infrastructure supply chain are spreading from the kernel to connectors and middleware layers, creating new market space for security scanning, vulnerability management, and compliance auditing service providers. Security companies that can cover the full database stack (kernel, connectors, middleware) are likely to gain a larger share of enterprise security budgets.
Source: MariaDB Security Advisory, CVE disclosures, and security community analysis
## 📅 Today’s Database Hot Topics Recap
| Date | Event | Core Highlights |
|------|-------|-----------------|
| May 15 | Dameng 2026 Hong Kong new product launch | DM9 and Dameng PAI officially unveiled; domestic databases embark on a new global journey |
| May 18 | OceanBase OCP 4.4.2-CE officially released | Primary‑standby strong sync adaptation + monitoring/alerting improvements; production‑grade toolchain upgraded |
| May 18 | PICC Technology procures three domestic databases in bulk | GaussDB, OceanBase, Dameng regular procurement; financial Xinchuang enters “standard” era |
| May 19 | Dameng Data signs strategic cooperation agreement with Hangxing Yongzhi | Focusing on government, state‑owned enterprises, archive personnel management; deepening domestic software ecosystem |
| May 19 | Multiple CVE database security vulnerabilities intensively disclosed | MariaDB Connector/C SQL injection, Pro Cloud Server authentication bypass, etc. |
| May 22 | XCOPS Intelligent O&M Managers Annual Conference (Guangzhou) | Practical sharing on AI application implementation, intelligent O&M, and database technology |
| May 23 | TiDB Zhengzhou community event | Exploring domestic replacement and AI construction in medical and government sectors |
| May 29 | Tencent Cloud “Database + AI” product launch | Debut of six core AI‑In‑Database engines; data foundation for the agent era officially unveiled |
| May 29 | Intelligent Cloud “Database + AI” Technology Summit | Focus on AI‑native database architecture; deep analysis of technology paths for kernel‑level large model integration |
## 📌 Issue Summary
| News | Core Keywords | DBA Actions | CTO/Decision‑Maker Focus | Investor Perspective |
|------|---------------|-------------|--------------------------|----------------------|
| PICC Technology procures three domestic databases | Financial Xinchuang standard, GaussDB+OceanBase+Dameng regular procurement | Deeply master O&M skills for at least one leading domestic DB; watch insurance industry Xinchuang job growth | Establish multi‑brand DB compatibility mechanisms; Xinchuang path shifts to open selection | Three‑brand procurement deepens vendor competitive landscape; DBA salary premium is a leading penetration indicator |
| Dameng Hong Kong launch | DM9 going global, globalisation strategy, DBs going global | Master DM9 tuning skills; become core technical reserve for overseas projects | Include domestic DBs in global selection; compare with Oracle/Aurora | Global capability supports higher valuation ceiling; ecosystem partnerships validate domain penetration |
| OceanBase OCP 4.4.2-CE | Primary‑standby strong sync, multi‑modal convergence, monitoring/alerting | Mixed‑load tuning + vector query governance + OCP toolchain construction | OCP improves financial‑grade DR delivery completeness; reduces O&M development costs | Open‑source iteration feeds back into enterprise orders; community activity is a leading indicator |
| MariaDB open‑sources data lake engine | New blue ocean in AI workloads, community‑driven | Pay attention to data lake engine architecture; evaluate suitability for AI workloads | Open‑source data lake tech adds flexible reference for AI scenario selection | Open‑sourcing expands user reach; track commercial conversion effect |
| Intensive security vulnerability outbreak | MariaDB connector injection, auth bypass, multi‑model DB auth bypass | Include DB connectors and client libraries in security audits; review big5 charset usage | Establish full‑chain DB+connector+client security scanning mechanism | Full‑stack security scanning & vulnerability management services see market growth |
> **HiddenMerit Team Production**
> **Slogan: 绩优隐于内,金石启新程 | Hidden deep. Merit bold. Forge ahead.**
