External risk intelligence

AlloyDB could allow external attackers to gain full administrative database access.

Google Cloud AlloyDB for PostgreSQL instances provisioned via Terraform or the REST API before November 2025 could allow external attackers with direct network access to gain full administrative database control. This vulnerability potentially exposes stored customer data and sensitive information.

NVD published May 12, 2026 (3 days ago)

External risk briefCRITICAL

CVE-2026-7428

Halo Surface Signal

2/ 5

AlloyDB is a managed database service typically deployed within private cloud networks. While network-reachable, public internet exposure is uncommon as these instances are generally restricted to internal VPC environments or specific private network paths and are not designed to be directly accessible from the public internet.

Exposure facts

CVSS

9.2

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber

EPSS

0.04%

H – Horizon Alert

A security vulnerability has been identified in Google Cloud AlloyDB for PostgreSQL, where database clusters created using Terraform or the REST API were provisioned with an insecure default password. This configuration could potentially allow a remote attacker to bypass security controls and gain full administrative access to the database. It is important to be aware that this specific issue is limited to these automated provisioning methods and does not impact other management tools.

A – Asset Exposure

This issue impacts Google Cloud AlloyDB for PostgreSQL instances that were configured using Terraform or the REST API. If a database was created with an insecure default password, an individual with direct network access to the cluster could potentially gain full admin access to the system. Because this requires specific connectivity to the cluster, the risk is typically confined to those with established network paths rather than broad public internet exposure. This exposure could jeopardize the security of stored customer data and other sensitive information managed within the database.

L – Live Threat

There is no indication of active exploitation or public exploit activity associated with this vulnerability. The risk pertains to the historical potential for insecure default passwords to be set when creating specific database clusters. Consequently, the available context does not indicate active exploitation or observed targeting.

O – Operational Fix

To address this potential credential vulnerability, please audit database clusters that were provisioned using Terraform or the REST API prior to November 2025. It is recommended that your team verify that all administrative passwords comply with your organization's current security requirements. If you identify any clusters still utilizing default configurations, update the access credentials immediately to ensure they are secure and unique. Consult the official Google Cloud documentation for further guidance on verifying and updating your database security posture.

References

docs.cloud.google.com/alloydb/docs/release-notes