CVE-2026-7428 | THREATINT

Description

Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.

PUBLISHED Reserved 2026-04-29 | Published 2026-05-12 | Updated 2026-05-12 | Assigner GoogleCloud

CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber

Problem types

CWE-1392 Use of default credentials

Product status

Default status

unaffected

Any version before 2025-11-03

affected

Credits

Mark Lawrenson reporter

References

docs.cloud.google.com/alloydb/docs/release-notes

cve.org (CVE-2026-7428)

nvd.nist.gov (CVE-2026-7428)

Download JSON