```markdown
# 📊 HiddenMerit Daily · Issue 24
> Focus on Database Frontiers, Practical Insights for DBAs
> May 19, 2026 | 10 Selected Global Breaking News
## 01|Dameng Launches DM9 from Hong Kong as Strategic Hub, a “Hardcore Global Calling Card” for Domestic Databases
On May 15, Dameng Data held its 2026 new product launch in Hong Kong, officially unveiling the DM9 database management system and the new DAMENG PAI all‑in‑one machine. By choosing Hong Kong as a strategic hub, Dameng not only takes a key step in deepening its international presence but also builds a bridge for China’s independent database technology to engage with the world, marking a transition from “technology breakthrough” to “going global.”
DM9 introduces over 450 new features and enhancements, covering performance optimisation, high availability, compatibility, security, and multi‑model support. The DAMENG PAI all‑in‑one machine follows a “software‑hardware synergy” concept, delivering extreme performance tuning and intelligent O&M capabilities for high‑grade industry core systems. Earlier in late April, Dameng had already released four new products at the 2026 China Database Technology and Industry Conference: DM9, GDMBASE V4.0, DAMENG PAI V2.0 all‑in‑one, and Qiyun Database V4.0, covering centralised, distributed, cloud‑native, and graph database scenarios. By mid‑May, Dameng brought DM9 and DAMENG PAI to Hong Kong to showcase its technical strength to the Asia‑Pacific and global markets.
- DBA Perspective: Dameng’s choice of Hong Kong as an international springboard means that top domestic DBAs have the opportunity to participate in the core construction of global technology export. Practitioners with O&M experience in DM9 can see their skills’ “marketability” expand from the domestic Xinchuang market to overseas critical systems. For DBAs, this extends career boundaries – mastering domestic database tuning is not only useful in domestic Xinchuang projects but also makes you a key technical contributor in overseas projects.
- CTO Perspective: The trend of domestic databases moving from “replacements” to “definers” is accelerating. DM9 has already been rapidly deployed in critical industries both at home and abroad. If your enterprise has international business needs, Dameng’s global expansion adds a global standard reference for multi‑technology‑stack selection. CTOs can begin to evaluate Dameng alongside international products like Oracle and AWS Aurora under the same lens.
- Investor Perspective: Dameng showcasing its global strategy from Hong Kong is a precise brand elevation – in the capital market, the ability to go global directly corresponds to a higher valuation ceiling. If Dameng subsequently secures benchmark customers in Southeast Asia, the Middle East, and other regions, its SaaS/PaaS service revenue share is likely to increase, worth continuous attention.
Source: Dameng Data 2026 Hong Kong New Product Launch Disclosure
## 02|Alibaba Cloud PolarDB Lakebase Opens Public Beta: One‑Click Lake Access, Direct Connection to Multi‑Modal Engines Boosts AI Efficiency
On May 15, Alibaba Cloud PolarDB officially announced that Lakebase has entered public beta. Lakebase is built on open data lake specifications, combining the cost‑effectiveness of a data lake with the integration capabilities of a data warehouse. Its biggest technical breakthrough is that the PolarDB engine kernel embeds direct connection interfaces to multiple heterogeneous data sources, enabling unified access to multi‑modal data. At the same time, PolarDB has significantly improved machine learning model iteration efficiency and data processing accuracy in internal tests through seamless adaptation.
Since announcing its 2026 Developer Conference, PolarDB has continuously strengthened its AI data lakehouse and model operatorisation direction. Lakebase has already provided a “**lakehouse‑integrated architecture**” during its grey‑scale invitation test phase, offering a cheaper and faster system for machine learning and large language models. According to early users of Alibaba Cloud, Lakebase significantly improves the efficiency of data preparation for large‑model fine‑tuning and RAG recall experiments.
- DBA Perspective: In the past, DBAs had to shuttle ETL pipelines between big data lakes and MPP data warehouses. Lakebase completely breaks this pattern at the engine level. The core responsibility of DBAs will shift from optimising storage formats to orchestrating and governing cross‑domain data views – the boundary between database administrators and data engineers is rapidly blurring.
- CTO Perspective: Lakebase’s “direct lake connection” capability directly reduces the time cost of data movement and cleaning for data scientists in AI experiments. For CTOs, this means an integrated data architecture can accelerate the deployment pace of AI from experimentation to production – the agility of the data stack itself is a competitive advantage.
- Investor Perspective: By extending database services upstream into the AI training and inference data stack via Lakebase, PolarDB increases customer stickiness and creates new incremental revenue streams for public cloud AI income. Investors should pay attention to subsequent revenue disclosures from Alibaba Cloud on AI infrastructure to validate Lakebase’s commercial conversion capability.
Source: Alibaba Cloud PolarDB Lakebase Public Beta Announcement
## 03|OceanBase Open Source Ecosystem Accelerates: OCP 4.4.2-CE Released, Multi‑Modal Convergence Becomes Mainstream Foundation
On May 18, OceanBase Cloud Platform (OCP) 4.4.2-CE was officially released. This upgrade fully adapts the primary‑standby strong‑sync mode and significantly improves monitoring and alerting functions, covering the entire process from cluster configuration and performance diagnosis to automatic failover. OCP Community Edition plays a key role in the OceanBase ecosystem – enabling enterprises to stop relying on custom measurement systems and use production‑grade toolchains to support high‑availability O&M of distributed databases. In addition, the OceanBase 4.4 LTS series continues to invest in the “integrated” architecture, maintaining a leading edge in the integration of TP/AP/vector search. As early as April 28, OceanBase released version V4.6.0, which introduced a native SQL hybrid search interface supporting vector, full‑text, and scalar multi‑modal fused queries, and released the seekdb M0 plugin to create an “external memory hub” for the AI agent framework OpenClaw.
- DBA Perspective: The maturity of an open‑source ecosystem is a red line for enterprises adopting distributed databases. OCP’s monitoring, alerting, and primary‑standby strong‑sync adaptation directly address the production‑level pain points DBAs care about most: reduction in fault detection time and observability of failover. As OceanBase simultaneously doubles down on multi‑modal convergence, DBAs evolve from single‑purpose SQL optimisers into versatile professionals skilled in mixed‑load tuning, vector query performance governance, and ecosystem toolchain construction.
- CTO Perspective: OCP 4.4.2-CE improves the community delivery completeness of financial‑grade disaster recovery, significantly reducing the repetitive development cost of O&M systems for organisations with limited database teams. The strategic push for multi‑modal convergence also provides CTOs with a more agile AI‑native foundation option.
- Investor Perspective: The iteration speed of OCP community versions confirms OceanBase’s commitment to open‑source ecosystem governance, which will continue to feed back into its enterprise edition orders. Investors can use code iteration speed, community contributor activity, and growth in production‑grade community use cases as leading indicators to observe OceanBase’s commercialisation progress.
Source: OceanBase OCP 4.4.2-CE Release Announcement
## 04|PostgreSQL Hit by Storm of High‑Risk Vulnerabilities: MD5 Side‑Channel + SQL Injection + Memory Corruption Triad
On May 14, the PostgreSQL Global Development Group released security updates for five versions: 18.4, 17.10, 16.14, 15.18, and 14.23, fixing 11 CVEs. Among them, CVE-2026-6478 (MD5 password hash timing side‑channel, CVSS 6.5) allows an attacker to recover user credentials byte by byte via timing differences. Although SCRAM-SHA-256 is not affected, many systems upgraded from older versions remain exposed. CVE-2026-6638 (CVSS 8.8) involves an SQL injection in logical replication – a subscriber table creator could inject malicious SQL via REFRESH PUBLICATION, achieving privilege escalation or data manipulation. In CVE-2026-6476 (CVSS 7.2), the pg_createsubscriber tool does not sufficiently sanitise subscriber names, allowing an attacker with pg_create_subscription privilege to run arbitrary SQL as a superuser the next time the tool is executed. CVE-2026-6477 (CVSS 8.1) allows a server superuser to write arbitrary‑sized data onto the client’s stack buffer via a stack overflow in the PQfn() function. Additionally, CVE-2026-6475 (CVSS 8.8) affects symbolic link path traversal in pg_basebackup and pg_rewind, allowing a malicious source to overwrite arbitrary local system files.
- DBA Perspective: The MD5 side‑channel vulnerability reminds DBAs that “legacy” authentication methods should be thoroughly retired – ensure a full inventory of production environments still using MD5 authentication and switch to SCRAM-SHA-256. The pg_basebackup symbolic link path traversal sounds an alarm for backup chain security: when the backup source is untrusted, an attacker could even overwrite system files. Recommended actions: fully upgrade to the latest patched versions, and strictly review the list of roles with pg_create_subscription privileges.
- CTO Perspective: The PostgreSQL community continues its high‑frequency security response cadence with five branch patches. Vulnerabilities involving high‑privilege modules such as backup and logical replication indicate that “component trust boundaries” must be reassessed. It is recommended to incorporate database security hardening into CI/CD mandatory gates, and physically/logically isolate backup environments from production.
- Investor Perspective: Since the PG 14 EOL countdown began, the continued disclosure of high‑risk vulnerabilities will trigger a wave of enterprise demand for database migration and compliance consulting services. The order growth for PG‑ecosystem security toolchains and managed service providers is likely to accelerate significantly in Q3‑Q4.
Source: PostgreSQL Global Development Group
## 05|DB-Engines May 2026 Ranking: Relational Dominance Solid, Domestic Contenders PolarDB and TiDB Make Steady Progress
The May 2026 DB-Engines ranking was released. Relational databases still hold the top four positions: Oracle #1, MySQL #2, Microsoft SQL Server #3, PostgreSQL #4. Among global relational databases, domestic PolarDB and TiDB rank #42 and #43 respectively, OceanBase ranks #54, and GBASE (General Data) ranks as the fourth domestic independent commercial database. These positions reflect the steady forward momentum of the domestic camp in the global market.
- DBA Perspective: Oracle and MySQL will remain the most frequently referenced benchmarks for evaluation in the medium term. The rising overall rankings of domestic databases mean that DBAs working with domestic technology stacks are slowly seeing an increase in their resume bargaining power in the global job market.
- CTO Perspective: The ranking fluctuations remind technical decision‑makers to pay attention to the long‑term direction of the global database ecosystem. The slight upward moves of PolarDB and TiDB are not accidental; they reinforce long‑term expectations for leading domestic databases within technical teams.
- Investor Perspective: The continued dominance of relational databases in the global top four implies a huge ceiling for the replacement market. The steadily climbing rankings of leading domestic databases on DB-Engines reflect the gradual establishment of brand recognition in overseas technical communities, providing endorsement for future “going global” and “technology export” efforts.
Source: DB-Engines May 2026 Ranking
## 06|PICC Technology Procures Three Major Domestic Databases: From “Alternatives” to “Core Standard”
On May 18, PICC Technology (PICC) announced the winning results of its “2025‑2026 Database Related Basic Software Original Factory Standard Service and Expansion Procurement Project (Subsidiary) (Package 2: Database Software Original Factory Standard Service)”, covering original factory standard services for GaussDB, OceanBase, and Dameng databases. The procurement method was competitive negotiation, indicating that the insurer has completed multi‑vendor adaptation and technical reserves on the Xinchuang path, and the procurement model has shifted from “single‑point pilot” to “regular expansion procurement.”
- DBA Perspective: A major insurer procuring three domestic databases in bulk sends a clear signal that demand for domestic database O&M talent will concentrate in the insurance industry. When planning their career paths, DBAs should aim to cover deep O&M and performance tuning skills for at least one of GaussDB, OceanBase, or Dameng, while also tracking job growth from Xinchuang replacement in the insurance sector.
- CTO Perspective: PICC Technology including three domestic databases in a single procurement package shows that the technology decision‑making layer has moved from single‑product lock‑in to open selection. Under the trend of database architecture diversification in large domestic insurance companies, the ability to uniformly operate and migrate across multiple database brands will become a core soft skill.
- Investor Perspective: The insurance industry, as a benchmark sector in the Xinchuang 2.0 phase, adopting three‑brand mixed procurement significantly deepens the competitive landscape for domestic database vendors. The three winning vendors can use this benchmark case to accumulate positive feedback for cross‑industry Xinchuang expansion and gradually increase their market share.
Source: PICC Technology Procurement Announcement
## 07|AWS Aurora Serverless V4 Efficient Scaling: 45% Faster Scaling + 30% Performance Gain, Reducing Costs for AI Agents
In mid‑May, AWS officially updated Aurora Serverless to platform version 4 (Aurora Serverless v4). Compared to the previous version, scaling speed improved by 45%, and database performance increased by up to 30% through intelligent resource scheduling and workload‑aware scaling decisions. AWS explicitly stated that one of the core design goals is to address AI agent burst workloads – serverless clusters scale to zero during idle periods to reduce costs, then spin up rapidly when large numbers of agents run concurrently. Additionally, Aurora DSQL recently announced official support for the JSON data type and optional compression, further accelerating semi‑structured data processing and ensuring seamless compatibility with native PostgreSQL tools.
- DBA Perspective: A 45% improvement in serverless scaling speed means that the previous need to pre‑warm resources to handle “minute‑level bursts” can be greatly simplified. DBAs shift from long‑term resource provisioning to precise definition of scaling policies, but must also pay attention to the impact of cold starts on latency‑sensitive agent applications.
- CTO Perspective: Serverless v4 is designed directly for the “burst‑idle‑burst” pattern of AI agents. For enterprises planning to launch intelligent services in the second half of 2026, this can significantly reduce idle compute costs and raise the elastic throughput ceiling of the architecture – allowing technology teams to spend money on business peaks rather than idle standby.
- Investor Perspective: AWS’s focused iteration on the serverless engine is a sign of the growing maturity of the cloud‑native database market, attracting more AI startups to include Aurora Serverless in their tech stack. Investors should monitor the penetration rate of serverless databases among AI companies as a forward‑looking indicator for gauging the growth potential of cloud data service revenue.
Source: AWS Aurora Serverless v4 Announcement
## 08|Oracle, Yugabyte, and Google Double Down: AI Agent‑Native Data Infrastructure Is Emerging
With the rapid iteration of AI agents, database vendors are intensively launching “AI agent‑native” data infrastructure. Oracle’s newly released Oracle Agent Factory for AI Database allows enterprises to quickly build autonomous agents with contextual memory through a private AI agent factory, deeply integrated with Oracle 23ai’s vector search and multi‑modal data engine. On May 7, Yugabyte released Meko, an agent‑native data infrastructure designed for multi‑agent AI systems. Meko focuses on managing dynamic data generated by agent systems, such as conversation history, contextual knowledge, action traces, and long‑term memory, solving the memory bottleneck of multi‑agent AI.
From Google’s side, the Google Cloud Next‘26 conference in early May announced the MCP Toolbox (Agentic Data Cloud), enabling users to directly query underlying databases via natural language. Several giants are racing toward the “Agentic” ecosystem from different technical routes, releasing a clear industrial signal: databases are being rewritten as the “memory and decision infrastructure” for AI agents.
- DBA Perspective: AI agent access patterns – high‑frequency small batches, cross‑session persistence, multi‑tenant logical isolation – completely overturn traditional connection pool management and slow query monitoring systems. DBAs must start studying observability methods for agent workloads, as well as audit trails and least‑privilege strategies tailored to agent access patterns.
- CTO Perspective: Three vendors – Oracle, Yugabyte, and Google – simultaneously making moves on the “agent‑native” dimension indicates that agent intelligence has become a core design variable for data infrastructure. CTOs should include agent workload support as a mandatory item in their 2026 data architecture roadmaps for database selection and private deployment.
- Investor Perspective: Agent‑native data infrastructure is a new differentiator in the database track. Oracle leverages its mature enterprise market base, Yugabyte enters through the distributed SQL open‑source ecosystem, and Google captures developer mindshare with cloud‑native integration – three routes racing in parallel. Investors should track the customer implementation cadence of these vendors in the agent space as a measure of commercial conversion efficiency.
Source: Yugabyte Meko Announcement & Oracle Agent Factory Product Page
## 09|Tech Giants Deploy: Oracle 23ai Enhances SQL Polymorphic Table Functions, Microsoft SQL Server 2026 Preview
In the first half of May, the tech community continued to track product evolution and market signals from Oracle and Microsoft in the database AI track. Oracle 23ai received a major update in April, enhancing the SQL polymorphic table function (PTF) feature to support embedding AI/ML inference directly in SQL, allowing developers to perform feature engineering and model inference calls at the database kernel level, reducing the complexity of AI data pipelines. Microsoft plans to release the next‑generation SQL Server 2026 in the second half of 2026, focusing on hybrid data architecture deeply integrated with Azure and built‑in AI/ML inference capabilities, aiming to address the convergence trend of cloud‑native databases and AI workloads. Additionally, Oracle Database@AWS added a new region in Switzerland (Zurich), enabling European customers to directly use Oracle Exadata database services on AWS, marking the continued progress of Oracle’s cross‑cloud collaboration.
- DBA Perspective: Embedding AI inference calls directly in the SQL engine will change the performance optimisation boundaries for DBAs – previously only concerned with indexes and SQL structure, now also needing to evaluate the computational overhead and caching strategies of model inference, demanding more refined resource management for mixed workloads. The hybrid architecture direction of SQL Server 2026 also suggests that DBAs need to prepare unified O&M capabilities spanning on‑premises and cloud environments.
- CTO Perspective: The three traditional database giants (Oracle, Microsoft, IBM) have all gone all‑in on AI‑In‑Database. Continued investment from Microsoft and Oracle gives CTOs more options for data architecture selection, but also requires them to thoroughly evaluate the latency sensitivity and total cost of ownership for real‑time inference on core business.
- Investor Perspective: Oracle and Microsoft embedding AI inference directly into the SQL layer will affect the conversion landscape for cloud data service orders. Over the next three years, enterprise customers will increasingly favour integrated databases that can handle “TP+AP+AI inference” in a single system, reducing integration costs. Changes in ARR and customer retention rates among leading cloud database vendors are core quantitative metrics for measuring the progress of AI‑database convergence.
Source: Oracle & Microsoft Technical Documentation and Industry Disclosures
## 10|Database Security Alarms Again: PraisonAI Framework SQL Injection Across 9 Backends, Strapi Sensitive Data Leak
Recently, several data‑related open‑source projects have been exposed with high‑severity security vulnerabilities. CVE-2026-41496 (CVSS 9.0) affects the popular AI multi‑agent framework PraisonAI, allowing an attacker to perform arbitrary SQL injection across nine database backends (MySQL, PostgreSQL, Turso, Supabase, SurrealDB, etc.) via an unvalidated table_prefix parameter. Strapi (CVE-2026-27886) suffers from insufficient query sanitisation, allowing attackers to leak sensitive data through relationship filters. At the same time, real‑world incidents have been exposed, such as Elasticsearch production credentials leaked via SQL injection (Taiwan, ZD-2026-00678) and the phpMyAdmin admin interface fully exposed to public brute‑force attacks on the root password (ZD-2026-00682). The security community now regards AI multi‑agent frameworks and no‑code platforms as new attack high grounds.
- DBA Perspective: The SQL injection vulnerability in the AI multi‑agent framework spanning nine database backends is a comprehensive security penetration demonstration targeting the data infrastructure chain. DBAs must work with security teams to include AI gateways and agent middleware in a zero‑trust policy for database access, strictly prohibit the use of superuser privileges to connect to any production database instance, and establish mandatory standards for API‑level parameterised queries to completely block common injection risks such as table prefix concatenation.
- CTO Perspective: The reason the PraisonAI vulnerability has such a large blast radius is the inherent deficiency in security consistency within the multi‑backend abstraction layer design. Enterprises adopting multi‑agent frameworks must enforce security benchmark testing gates during architecture review, regardless of the framework’s “concept popularity.”
- Investor Perspective: The widespread SQL injection outbreak in AI agent frameworks brings a new wave of demand for the AI security and vulnerability scanning track. Security companies capable of deep scanning across the various traditional databases and new backend stores that AI frameworks rely on are likely to benefit from order spillover in enterprise security budgets.
Source: CVE-2026-41496 Disclosure & Security Community Public Analysis
## 📅 Recent Database Hot Topics Recap
| Date | Event | Core Highlights |
|------|-------|-----------------|
| May 14 | PostgreSQL releases security updates for 5 versions | Fixes 11 CVEs; MD5 side‑channel + logical replication injection hit many versions |
| May 15 | Dameng Data 2026 Hong Kong new product launch | DM9 and DAMENG PAI officially go global; building a bridge for Chinese databases |
| May 15 | Alibaba Cloud PolarDB Lakebase public beta begins | Embedded direct connection interfaces for heterogeneous data sources; unified multi‑modal data access |
| May 18 | OceanBase releases OCP 4.4.2-CE | Primary‑standby strong sync + monitoring/alerting upgrades; continuing multi‑modal integration |
| May 18 | PICC Technology procures three domestic databases | GaussDB, OceanBase, Dameng move from “pilot” to “regular expansion procurement” |
| May 18 | DB-Engines May 2026 ranking released | Oracle/MySQL/MSSQL/PG top four stable; PolarDB/TiDB rankings steadily improving |
| May 18 | Oracle, Yugabyte, Google intensively launch “agent‑native” data infrastructure | Agent intelligence becomes core design variable for databases |
| May 18 | 7‑Eleven attacked by ShinyHunters | Large amount of franchisee data and Salesforce records stolen |
| May 19 | PraisonAI multi‑backend SQL injection (CVE-2026-41496) shocks security community | AI framework covering 9 DB engines becomes new attack high ground |
| May 19 | Oracle 23ai enhances SQL PTF, Microsoft SQL Server 2026 preview | AI inference embedded in SQL engine; traditional databases fully embrace AI |
| May 19 | Oracle Database@AWS adds new Switzerland region | European customers can use Exadata service directly on AWS |
## 📌 Issue Summary
| News | Core Keywords | DBA Actions | CTO/Decision‑Maker Focus | Investor Perspective |
|------|---------------|-------------|--------------------------|----------------------|
| Dameng Hong Kong launch | DM9 going global, globalisation strategy, independent control | Master DM9 tuning skills; become core technical reserve for overseas projects | Include domestic DBs in global selection; compare with Oracle/Aurora | Global capability supports higher valuation ceiling |
| Alibaba Cloud PolarDB Lakebase public beta | Lakehouse integration, multi‑modal engine direct connect, AI data efficiency | Shift from storage format optimisation to cross‑domain data view orchestration | Integrated architecture accelerates AI from experiment to production | Extending upstream to data services contributes new AI revenue |
| OceanBase OCP 4.4.2-CE | Primary‑standby strong sync, multi‑modal convergence, open‑source ecosystem | Mixed‑load tuning + vector query governance + ecosystem toolchain construction | Multi‑modal foundation provides AI‑native option; reduces repetitive O&M development | Open‑source iteration feeds back into enterprise orders; community activity is a leading indicator |
| PostgreSQL high‑risk vulnerability storm | MD5 side‑channel, logical replication injection, stack overflow | Full upgrade + enforce SCRAM-SHA-256 + isolate backup sources | Include security hardening in CI/CD gates; isolate backup environments | Triggers enterprise migration and compliance procurement demand |
| DB-Engines May ranking | Relational dominance stable, domestic rankings rising | Domestic tech stack resume bargaining power increases | Monitor long‑term global ecosystem direction; top domestic rankings not accidental | Brand recognition built, endorsing global expansion and tech export |
| PICC Technology three‑brand procurement | GaussDB, OceanBase, Dameng regular procurement | Deep O&M and tuning for at least one leading domestic DB | Xinchuang path moves from single‑vendor lock‑in to open selection | Benchmark case deepens vendor competitive position |
| AWS Aurora Serverless v4 | 45% faster scaling, AI agent cost reduction | Move from resource provisioning to scaling policy definition; watch cold start impact | Addresses “burst‑idle‑burst” pattern; reduces idle compute costs | Serverless DB penetration rate is a forward indicator for cloud growth |
| AI agent‑native data infrastructure | Oracle Agent Factory, Yugabyte Meko, Agentic Data Cloud | Study agent workload observability and least‑privilege policies | Include agent workload support as a DB selection mandatory item | Three routes race; customer implementation cadence determines commercial conversion |
| Oracle & Microsoft DB AI upgrades | Polymorphic table functions, SQL Server 2026 preview, cross‑cloud | Evaluate model inference compute overhead; prepare unified on‑prem + cloud O&M | Assess latency sensitivity and TCO for real‑time inference on core business | “One system” reduces integration costs; ARR and retention are key metrics |
| PraisonAI and other security vulnerabilities | CVE-2026-41496, 9 DB backends, AI agent attack high ground | Zero‑trust policies + mandatory API parameterised queries + no superuser for production | Enforce security benchmark gates during tech selection | AI security track sees new demand window; security companies benefit from order spillover |
> HiddenMerit Team Production
> Slogan: 绩优隐于内,金石启新程 | Hidden deep. Merit bold. Forge ahead.
```
No comments yet