CRITICALCVE-2026-7428Published 2026-05-12Modified 2026-05-12CNA GoogleCloud

CVE-2026-7428: Insecure default administrative credentials in AlloyDB for PostgreSQL

Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: 2025-11-03
Affected Products: 1

Fix available

2025-11-03

Affected packages

Google Cloud / AlloyDB for PostgreSQL
< 2025-11-03 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber

References

docs.cloud.google.com

Metrics

Fix available