CVE-2026-7428

Insecure default administrative credentials in AlloyDB for PostgreSQL

CVSS 9.2 CRITICALEPSS 0.2%CWE-1392

Vexday Risk Score

28Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 9.2EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

12 may 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full administrative access to the database. Exploitation required network access to the AlloyDB cluster and was limited to Terraform or the REST API, as other clients blocked it.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber

Productos afectados

Google Cloud · AlloyDB for PostgreSQL

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://docs.cloud.google.com/alloydb/docs/release-notes#April_28_2026