CVE-2026-7428 - Vulnerability Details - OpenCVE

Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://docs.cloud.google.com/alloydb/docs/release-notes#April_28_2026

History

Tue, 12 May 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.
Title		Insecure default administrative credentials in AlloyDB for PostgreSQL
Weaknesses		CWE-1392
References		https://docs.cloud.google.com/alloydb/docs/release-notes#April_28_2026
Metrics		cvssV4_0 `{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber'}`

MITRE

Status: PUBLISHED

Assigner: GoogleCloud

Published: 2026-05-12T09:16:35.151Z

Updated: 2026-05-12T09:16:35.151Z

Reserved: 2026-04-29T14:38:05.602Z

Link: CVE-2026-7428

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7428", "assignerOrgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "state": "PUBLISHED", "assignerShortName": "GoogleCloud", "dateReserved": "2026-04-29T14:38:05.602Z", "datePublished": "2026-05-12T09:16:35.151Z", "dateUpdated": "2026-05-12T09:16:35.151Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "shortName": "GoogleCloud", "dateUpdated": "2026-05-12T09:16:35.151Z"}, "title": "Insecure default administrative credentials in AlloyDB for PostgreSQL", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1392", "description": "CWE-1392 Use of default credentials", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-70", "descriptions": [{"lang": "en", "value": "CAPEC-70 Try Common or Default Usernames and Passwords"}]}], "affected": [{"vendor": "Google Cloud", "product": "AlloyDB for PostgreSQL", "versions": [{"status": "affected", "version": "0", "lessThan": "2025-11-03", "versionType": "date"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Prior to 2025-11-03,\u00a0well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters\u00a0with an insecure default password which could have been exploited by a\u00a0remote\u00a0attacker\u00a0to\u00a0gain full administrative access to the database.\n\n\n\n\nExploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><span>Prior to 2025-11-03, </span>well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters <span>with an insecure default password which could have been exploited by a </span>remote<span> attacker </span><span>to gain full administrative access to the database.</span></div><div><br></div><span>Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it</span><span>.</span>"}]}], "tags": ["exclusively-hosted-service"], "references": [{"url": "https://docs.cloud.google.com/alloydb/docs/release-notes#April_28_2026"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber"}}], "solutions": [{"lang": "en", "value": "This vulnerability was patched on November 3, 2025.\n\n\n\nImpacted instances have been proactively remediated, and no customer action is needed.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>This vulnerability was patched on November 3, 2025.</p><p>Impacted instances have been proactively remediated, and no customer action is needed.</p>"}]}], "credits": [{"lang": "en", "value": "Mark Lawrenson", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}