CVE-2026-7428 CRITICAL

CVE-2026-7428: Insecure default administrative credentials in AlloyDB for PostgreSQL

Vendor Google Cloud
Product AlloyDB for PostgreSQL
Weakness CWE-1392
Published May 12, 2026
Last update May 12, 2026

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber

What the vulnerability does

01Description

Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 12, 2026 Record updated