Description
Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database.




Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.
Published: 2026-05-12
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to November 3, 2025, users of Terraform or the Google Cloud REST API could create AlloyDB for PostgreSQL clusters with an insecure default administrative password. This flaw enabled a remote attacker who had network connectivity to the cluster to obtain full administrative privileges, compromising confidentiality, integrity, and availability of the data. The vulnerability is an instance of insecure default credentials, which is mapped to CWE‑1392.

Affected Systems

All Google Cloud AlloyDB for PostgreSQL clusters that were provisioned via Terraform or the REST API before the November 3, 2025 patch are affected. No other clients or later cluster creations are impacted, and there are no specific version numbers beyond the patch date.

Risk and Exploitability

The CVSS score of 9.2 indicates critical severity. The EPSS score is not available, so the current probability of exploitation is unknown, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation. Exploitation required network access to the cluster and was limited to Terraform or REST API operations; other access methods are blocked. Because all impacted instances have already been remediated, there is no immediate risk to existing deployments.

Generated by OpenCVE AI on May 12, 2026 at 11:05 UTC.

Remediation

Vendor Solution

This vulnerability was patched on November 3, 2025. Impacted instances have been proactively remediated, and no customer action is needed.

OpenCVE Recommended Actions

  • All affected AlloyDB for PostgreSQL clusters have been remediated by the vendor; no further action is required.
  • Confirm that new AlloyDB clusters are provisioned after the 2025‑11‑03 patch and that they do not contain the insecure default administrator password.
  • Maintain normal security monitoring and audit-logging for all AlloyDB clusters to detect any anomalous administrative activity.

Generated by OpenCVE AI on May 12, 2026 at 11:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.
Title Insecure default administrative credentials in AlloyDB for PostgreSQL
Weaknesses CWE-1392
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GoogleCloud

Published:

Updated: 2026-05-12T12:25:06.189Z

Reserved: 2026-04-29T14:38:05.602Z

Link: CVE-2026-7428

cve-icon Vulnrichment

Updated: 2026-05-12T12:25:01.074Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T10:16:48.490

Modified: 2026-05-12T15:09:58.693

Link: CVE-2026-7428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T11:15:14Z

Weaknesses