External risk intelligence

Google Cloud AlloyDB could allow an external attacker to gain full administrative database access.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-7428

Databases created in Google Cloud AlloyDB for PostgreSQL using automation may contain insecure default passwords, allowing an external attacker to gain full administrative access. This could let unauthorized users steal sensitive business data and compromise your systems.

2Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-7428

AlloyDB is a database service, typically deployed within private cloud environments protected by network access controls. While databases are network-reachable, they are not intended to be public-facing services. Direct exposure to the internet for such instances is not a common deployment pattern and is generally mitigated by standard internal network security configurations.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Google Cloud AlloyDB for PostgreSQL allowed users to create clusters with an insecure default password. This could let an attacker gain full administrative access to the database, which is a significant risk.

  • Attackers could gain full admin access.
  • Requires network access to the database.
  • Affects databases created with Terraform or REST API.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this flaw by leveraging the insecure default password created during cluster setup. If they can access the AlloyDB cluster over the network, they can use the Terraform or REST API to gain full administrative control of the database.

  • Network access to cluster needed.
  • Use Terraform or REST API.
  • Insecure default password is key.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability, affecting Google Cloud AlloyDB for PostgreSQL, could be weaponized by attackers if they can achieve network access to the database cluster. Exploitation required specific interaction methods, namely Terraform or the REST API, and was blocked by other client types, suggesting a more targeted rather than widespread attack.

  • Limited to specific APIs.
  • No observed exploitation signals.
  • Published in May 2026.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and securing AlloyDB clusters created before April 28, 2026, which may have insecure default passwords. Focus on patching these databases immediately to prevent unauthorized administrative access.

  • Remediate by updating to a secure version.
  • If patching is delayed, restrict network access to the cluster.
  • Monitor for unauthorized administrative access attempts.

Frequently asked questions

What is the vulnerability in Google Cloud AlloyDB for PostgreSQL?

A vulnerability allowed users to create AlloyDB for PostgreSQL clusters with an insecure default password before November 3, 2025. This could enable remote attackers to gain full administrative access to the database if they had network access to the cluster.

How can an attacker exploit this AlloyDB vulnerability?

Exploitation requires network access to the AlloyDB cluster. An attacker could leverage the insecure default password, created when setting up the cluster via Terraform or the REST API, to gain full administrative control.

What is the classification of the AlloyDB vulnerability's exposure?

The vulnerability is classified as external because the CVSS v4.0 Attack Vector is Network. This means an attacker can exploit it from outside the affected network.

What is the relevance of the Halo Surface Signal score for this CVE?

The Halo Surface Signal score is 2 (Unlikely). This is because AlloyDB is a database service typically within private networks with access controls, and direct internet exposure is not a common or intended deployment pattern.

How can organizations respond to the AlloyDB vulnerability?

Organizations should identify and secure AlloyDB clusters created before April 28, 2026, as they might have insecure default passwords. Patching these databases immediately is crucial to prevent unauthorized administrative access. If patching is delayed, restricting network access to the cluster and monitoring for unauthorized administrative access attempts are recommended actions.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished