Insecure Default Password in Google Cloud AlloyDB for PostgreSQL by Google
CVE-2026-7428

9.2CRITICAL

Key Information:

Vendor: Google Cloud
Status: Alloydb For Postgresql
Vendor: CVE Published:; 12 May 2026

🔔 Create Google Cloud Vulnerability Alert

What is CVE-2026-7428?

Prior to November 3, 2025, a vulnerability in Google Cloud AlloyDB for PostgreSQL allowed users to inadvertently create database clusters with an insecure default password through Terraform and the REST API. This flaw could potentially be exploited by remote attackers with network access to the AlloyDB cluster, enabling them to gain full administrative access. Other clients were unaffected as they blocked this type of access, highlighting the importance of secure configuration practices when setting up cloud resources.

Affected Version(s)

AlloyDB for PostgreSQL 0 < 2025-11-03

References

https://docs.cloud.google.com/alloydb/docs/release-notes#...

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

Mark Lawrenson

CVE-2026-7428 Data

JSON