CVE-2026-7428

CRITICAL

Insecure default administrative credentials in AlloyDB for PostgreSQL

Title source: cna

Description

Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.

References (1)

Core 1

Core References

https://docs.cloud.google.com/alloydb/docs/release-notes#April_28_2026

Scores

CVSS v4 9.2

EPSS 0.0024

EPSS Percentile 14.8%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-1392

Status published

Products (1)

Google Cloud/AlloyDB for PostgreSQL < 2025-11-03

Published May 12, 2026

Tracked Since May 12, 2026