📊 HiddenMerit Daily · Issue 29

Focus on Database Frontiers, Practical Insights for DBAs May 25, 2026 ｜ 5 Selected Global Breaking News

01｜China Academy of Art Launches RMB 550,000 Xinchuang Procurement: University Xinchuang Moves from “Pilot” to “Full‑Scenario Replacement”

On May 15, the China Academy of Art released its government procurement意向 for May 2026, with a budget of RMB 550,000 for the “Domestic Xinchuang Construction – 2026” project. The procurement requirements explicitly state: by 2025, achieve basic domestic production of educational new infrastructure related software and hardware, and by 2027, complete full‑chain replacement of core business systems and terminal environments, forming an autonomous and controllable ecosystem covering “chips – operating systems – databases – application software – security services.”

Specific technical paths include: large‑scale deployment of domestic CPUs (Kunpeng, Loongson, etc.), operating systems (UnionTech UOS, Deepin), and databases (Dameng DM8, KingbaseES) in data centres, labs, and office terminals, with a domestic production rate of over 90% for core equipment; driving deep compatibility of key applications such as academic affairs management, research collaboration, and smart classrooms with domestic environments, achieving 100% adaptation rate; building a “zero‑trust access + perimeter protection + data encryption + log audit” defence system based on domestic cryptographic technology.

On the same day, China Communications Construction Group Co., Ltd.’s 2026 autonomous‑control database procurement project completed evaluation, with a transaction amount of RMB 259,200.

• DBA Perspective: The procurement意向 of the China Academy of Art sends a key signal – university Xinchuang is moving from “edge pilot” to “full‑chain replacement of core systems.” Previously, the main battlefields for Xinchuang were government and finance; now universities are entering the market in batches. This opens a new career blue ocean for DBAs: Dameng DM8 and KingbaseES are designated databases for the project, meaning that DBAs with experience in operating and migrating these two domestic databases will have significant bargaining power in the wave of university digital transformation over the next three years. DBAs are advised to proactively acquire knowledge of the data architecture of core university business systems (academic affairs, research, human resources).

• CTO Perspective: University Xinchuang is different from finance and government – its business systems are complex, with many legacy systems and分散 technology stacks. The “full‑chain replacement” target proposed by the China Academy of Art (by 2027) provides CTOs with a clear time window. When planning university digital projects, CTOs should prioritise full‑stack compatibility of “domestic database + domestic OS + domestic chip” as the primary consideration for technology selection.

• Investor Perspective: The university Xinchuang market is starting. The China Academy of Art’s RMB 550,000 procurement is just the tip of the iceberg – the database replacement demand from over 3,000 universities nationwide will be a multi‑billion yuan market. Dameng and Kingware, having entered university procurement lists early, are positioned to gain a first‑mover advantage in this incremental market.

02｜Time‑Series Data Explosion: IDC Predicts Over 50% of Data Will Be Time‑Series by 2026, Kingware Discloses Industrial Test Results

According to IDC forecasts, by 2026, over 50% of globally generated data will be unstructured or semi‑structured time‑series data, with 70% of real‑time decision‑making needs relying on millisecond‑level data response capabilities. CETC Kingware recently disclosed test results of KingbaseES V9 in industrial time‑series data scenarios: under high‑concurrency write tests, it maintained millisecond‑level real‑time query response even with millions of writes per second, with query latency fluctuation below 5%.

KingbaseES V9 has undergone deep kernel modifications for time‑series data. By introducing efficient compression algorithms and partition table mechanisms, using multi‑version concurrency control (MVCC) and adaptive partition strategies, it can automatically identify hot and cold distribution of time‑series data – keeping frequently accessed recent data in memory while archiving historical data to low‑cost storage layers. In test environments, KingbaseES V9 simultaneously supports high‑frequency transaction writes and complex analytical queries, achieving a “write‑aggregate‑query” integrated architecture.

• DBA Perspective: Time‑series data is moving from a “niche area” to the “main battlefield” of data. By 2026, time‑series data will account for half of global data volume, meaning DBAs must quickly fill their knowledge gaps about time‑series databases – including the underlying design of time‑series storage engines, down‑sampling strategies, data hot/cold separation, and data retention policies. KingbaseES V9’s test data (millions of writes + millisecond queries + fluctuation <5%) provides a real‑world reference for DBAs selecting time‑series databases in scenarios such as industrial internet, energy dispatch, and smart manufacturing.

• CTO Perspective: The forecast that time‑series data will exceed 50% of data volume confirms the judgment that “time‑series data is the record of all digital movement processes.” When planning data architecture, CTOs should prioritise databases with multi‑modal convergence capabilities (time‑series + relational + vector) rather than maintaining highly complex architectures that “patch together multiple databases.” KingbaseES V9’s HTAP integration capability is particularly suitable for real‑time scenarios requiring “produce, compute, and decide at the same time.”

• Investor Perspective: The time‑series database track is facing a “structural” growth inflection point – demand from industrial internet, smart grids, autonomous driving, and connected vehicles is shifting from “optional” to “mandatory.” Vendors with experience in industrial‑scenario time‑series migration and integrated multi‑modal capabilities are likely to capture significant market share in this wave of time‑series data growth. IDC’s prediction that time‑series data will account for half of global data provides macro‑level support for the valuation of time‑series database companies.

Source: CETC Kingware Tech Blog

03｜ChromaDB “ChromaToast” Critical Vulnerability: 14M‑Download Vector Database, 73% of Public Instances Exposed to RCE Risk

The open‑source vector database ChromaDB has been disclosed to have a highest‑severity security vulnerability, numbered CVE-2026-45829, nicknamed “ChromaToast.” The vulnerability allows an unauthenticated attacker to execute arbitrary code on servers exposed to the internet, posing a full remote code execution (RCE) risk.

The vulnerability was discovered by security company HiddenLayer. The core issue is a race condition between the model loading process and authentication logic in ChromaDB’s Python FastAPI version server – the system allows loading and running embedding models before performing authentication checks. Attackers can craft specific requests abusing the trust_remote_code: true parameter to force ChromaDB to pull malicious models from the Hugging Face platform and execute them locally on the server. Successful exploitation can lead to attackers gaining shell access, API keys, mounted secrets, environment variables, and locally stored vector data.

ChromaDB’s PyPI package has nearly 14 million monthly downloads. The vulnerability was introduced in ChromaDB version 1.0.0 and remains unpatched as of version 1.5.8. HiddenLayer’s investigation shows that among public ChromaDB instances indexed by Shodan, over 73% are still running vulnerable versions. More concerning, HiddenLayer researchers have repeatedly tried to contact ChromaDB developers since February 17 but have received no response.

• DBA Perspective: The ChromaDB vulnerability brutally declares that vector database security cannot rely solely on “community faith.” When building RAG applications with such emerging components, DBAs must proactively take on the responsibility of pre‑deployment security reviews. Urgent actions: first, identify ChromaDB instances exposed to the public internet; second, use the Rust implementation version to replace the Python FastAPI server; third, restrict access to only trusted IPs. A more fundamental lesson: “supply chain security” for AI infrastructure must be included in DBAs’ daily monitoring scope.

• CTO Perspective: A “star project” with 14 million monthly downloads receiving no response to vulnerability reports for three months exposes the security governance shortcomings in the open‑source AI component supply chain. When selecting AI infrastructure components, technical managers must include “security response capability” in their vendor evaluation systems, avoiding reliance on “unmaintained” open‑source components for critical business. As the HiddenLayer team noted: “Models are not passive data – they are code.”

• Investor Perspective: The ChromaToast vulnerability highlights the governance dilemma of “star project, amateur team” in the AI open‑source ecosystem. This means that enterprise customers will increasingly value the “backstop capability” of commercial support teams when procuring AI infrastructure. Vector database companies with complete commercial service systems (such as Pinecone, Zilliz) and security compliance service providers are likely to see increased orders from this wave of security anxiety. Investors should be cautious of AI infrastructure projects that rely on “community faith” rather than commercial support.

Source: Open Source For You

04｜Tencent Cloud PostgreSQL Cloud Disk Edition Officially Released: Elastic Cloud Storage + AI‑Native, 4 Days Until May 29 Launch

On May 22, Tencent Cloud Database PostgreSQL Cloud Disk Edition was officially released. This version uses Cloud Block Storage (CBS) as its unified storage foundation, with comprehensive upgrades in four dimensions compared to traditional local disk formats: elasticity, reliability, security compliance, and AI‑native capabilities. Core capabilities include:

• Unified cloud disk storage foundation: Storage and compute decoupled, enabling online scaling, snapshot backups, cross‑availability zone/cross‑region disaster recovery;
• Snapshot‑based backup and rollback: TB‑level databases can be backed up and rolled back in minutes, providing a “safe undo button” for AI schema changes and agent trial‑and‑error;
• pgvector vector extension enabled by default: Supports multiple vector index types (IVFFlat, HNSW), with vector data and business data in the same database, same transaction, same backup, same rollback;
• DiskANN (pgvectorscale) productisation accelerated: One‑click enabling of DiskANN indexing, suitable for 1024–2048 dimensional, hundred‑million‑scale vector workloads, based on cloud disk storage rather than full memory;
• Hybrid search in one SQL: Supports “vector + full‑text + relational conditions” recall and ranking within a single SQL;
• In‑database AI function tencentdb_ai: Directly calls chat/embedding/rerank functions in SQL, providing “write‑to‑auto‑embedding” capability.

Only 4 days remain until the Tencent Cloud “Database + AI” product launch on May 29. The launch will disclose, for the first time, the evolution path and core capabilities from “AI‑In‑Database” native integration to full support for agents, unveiling six core engines covering the Agent “memory brain,” database Agent tool suite, and multi‑modal vector hybrid search.

• DBA Perspective: The release of PostgreSQL Cloud Disk Edition is an excellent sample for DBAs to observe how “cloud‑native databases support AI workloads.” The productisation of DiskANN indexing is particularly noteworthy – traditional HNSW indexes are fully memory‑resident, posing challenges for cost‑sensitive AI applications; DiskANN, based on cloud disk storage, is more suitable for hundred‑million‑scale vector retrieval scenarios. DBAs should start learning the differences between DiskANN and HNSW and their applicable scenarios to provide professional judgment for AI application database selection.

• CTO Perspective: Tencent Cloud integrating capabilities such as pgvector, DiskANN, hybrid search, and in‑database AI functions into a unified cloud disk foundation essentially pushes “AI‑native databases” from concept to productisation. For CTOs planning data architectures for AI applications, the PG Cloud Disk Edition provides a “one‑stop” solution – vectors and business data in the same database, same transaction, same backup, eliminating data搬运 between multiple systems. The May 29 launch is an important window for evaluating the commercial conversion efficiency of this strategy.

• Investor Perspective: Tencent Cloud’s intensive investment in the “database + AI” direction (previously TDSQL OLTP +50%, OLAP +20x, Agent Memory open‑sourced, DataBuddy released), combined with the launch of PG Cloud Disk Edition and the May 29 launch, is building a full‑chain data intelligence closed loop covering “storage → governance → analysis → agents.” Investors should pay special attention to customer implementation case sharing at the May 29 launch – case quality will influence market valuation more than concepts themselves.

Source: Tencent Cloud Official

05｜Vastbase’s RMB 700M Private Placement Accepted: HTAP + Multi‑Modal Time‑Series Dual‑Wheel Drive Adds New Variable to Xinchuang Market

On May 11, Vastbase (603138.SH) disclosed its 2026 private placement plan analysis report, intending to raise up to RMB 701.6145 million. The entire amount will be invested in two core technology R&D projects: a next‑generation high‑performance hybrid transaction/analytical database (HTAP) project and a multi‑modal time‑series database project.

Vastbase believes that the traditional “OLTP database + OLAP data warehouse” separated architecture can no longer meet the real‑time, integrated, and high‑concurrency requirements of core scenarios such as finance, retail, telecommunications, and manufacturing. The HTAP integrated processing architecture can deliver both high‑concurrency transaction performance and batch analytical efficiency. The multi‑modal time‑series database project targets core needs in emerging scenarios such as industrial internet and energy dispatch.

The company’s Vastbase database is a purely domestic relational database product with完全 independent intellectual property rights. It has passed national security and reliability assessments and has achieved large‑scale deployment in key industries such as government, finance, telecommunications, manufacturing, energy, defence, and transportation. It is worth noting that the company has recorded four consecutive years of losses, with its Q1 2026 net loss attributable to shareholders widening to RMB 41.77 million, and operating cash flow plummeting 214% year‑on‑year.

• DBA Perspective: Vastbase’s RMB 700 million private placement doubling down on HTAP and multi‑modal time‑series is another indication of “technology intensification” in the domestic database track. For DBAs, HTAP integrated architecture means saying goodbye to ETL pipelines and dual‑system maintenance, but it also requires DBAs to master hybrid workload tuning – coordinating transaction response and batch analytics within a single system, with refined resource scheduling and SLA guarantees. Time‑series data processing capability will also become a core competency for DBAs in IIoT scenarios. However, it is worth noting that Vastbase’s four consecutive years of losses present a financial risk that cannot be ignored; DBAs need to assess the long‑term viability of vendors when choosing technology stacks.

• CTO Perspective: Vastbase’s customers are primarily state‑owned enterprises. This private placement targeting HTAP and multi‑modal time‑series, if successfully delivered, will add a more complete integrated domestic database option for telecom and energy scenarios. However, management’s history of repeated project delays and unimproved profitability are risks that cannot be overlooked. Technology decision‑makers should carefully assess vendor financial health when evaluating HTAP product delivery capability.

• Investor Perspective: The dual tracks of HTAP and multi‑modal time‑series have clear market demand – strongly driven by scenarios such as financial real‑time risk control, industrial internet, and energy dispatch. However, Vastbase’s historical baggage of “four consecutive years of losses + controlling shareholder penalty for illegal shareholding reduction” cannot be ignored. There is significant uncertainty whether the large offering will be approved. The subscription enthusiasm and multiples from institutional investors will be key indicators of short‑term market confidence. Subsequent focus should be on the order conversion efficiency of the investment projects and the pace of accounts receivable collection.

Source: Vastbase Announcement

📅 Recent Database Hot Topics Recap

📌 Issue Summary

HiddenMerit Team Production Slogan: 绩优隐于内，金石启新程 | Hidden deep. Merit bold. Forge ahead.