📊 HiddenMerit Daily · Issue 27
Focus on Database Frontiers, Practical Insights for DBAs
May 22, 2026 | 5 Selected Global Breaking News
01|ChromaDB Exposed to Highest Severity Vulnerability: 10 Million Downloads AI Vector Database Hides “Remote Hijacking” Risk for RAG Applications
ChromaDB, an open‑source vector database widely used by application developers, has recently been disclosed to have a highest‑severity security vulnerability, numbered CVE-2026-45829. The vulnerability allows an unauthenticated attacker to execute arbitrary code on servers exposed to the internet, posing a risk of full system compromise.
The vulnerability was discovered by security company HiddenLayer. The core issue lies in a logical flaw in an API endpoint marked as requiring authentication in the Python FastAPI version of the server – the system allows embedding model parameters to be set before performing authentication checks. Attackers can craft specific requests to force ChromaDB to load malicious models from the Hugging Face platform and execute them locally on the server, without authentication intercepting the request. By the time the authentication step is triggered, the malicious model has already been loaded and executed.
ChromaDB’s PyPI package has nearly 14 million monthly downloads, indicating its high popularity among the global developer community. CVE-2026-45829 was introduced in ChromaDB version 1.0.0 and remains unpatched as of version 1.5.8. HiddenLayer’s investigation shows that about 73% of publicly exposed instances are still running vulnerable versions. An even more concerning detail: since first reporting the vulnerability on February 17, HiddenLayer researchers have repeatedly tried to contact ChromaDB developers but have received no response.
· DBA Perspective: The ChromaDB vulnerability brutally declares that vector database security cannot rely solely on “community faith.” When building RAG applications with such emerging components, DBAs must proactively take on the responsibility of pre‑deployment security reviews, including mandatory network isolation (prohibiting direct public exposure of vector database instances), strict auditing of upstream model sources, and establishing regular security scanning systems for AI infrastructure components.
· CTO Perspective: The ChromaDB vulnerability highlights the security governance shortcomings in the open‑source AI component supply chain – the development team has not established a basic security response mechanism, leaving vulnerability reports unanswered for three months. When selecting AI infrastructure components, technical managers must include “security response capability” in their vendor evaluation systems and avoid relying on “unmaintained” open‑source components for critical business.
· Investor Perspective: A “star project” with 14 million monthly downloads exposed to a major vulnerability with no response for three months underscores the governance dilemma of “star project, amateur team” in the AI open‑source ecosystem. This means that enterprise customers will increasingly value the “backstop capability” of commercial support teams when procuring AI infrastructure. Vector database companies with comprehensive commercial service systems and security compliance service providers are likely to see increased orders from this wave of security anxiety.
02|Domestic Database Competitive Landscape: From “Land‑Grab Era” to the Second Half of “Deep Cultivation”
The May 2026 China Database Popularity Ranking shows zero changes in the top ten positions. The first tier (leaders) consists of five vendors: CETC Kingware, OceanBase, TiDB, Dameng, and PolarDB, which have formed a significant advantage in technology maturity and commercial deployment scale. The second tier includes openGauss, GoldenDB, TDSQL, GBase, Taos Data, and others.
Data shows that in critical application areas related to national infrastructure, traditional database vendors like CETC Kingware, with their high sales volumes and deep government‑enterprise trust, are running neck‑and‑neck with internet cloud vendors, forming the two pillars of domestic databases. Kingware KES’s moat lies in its “single kernel, multi‑modal” architecture – supporting relational, document, time‑series, spatial (GIS), and vector data (essential for the large model era) within the same native kernel, with over 95% PL/SQL compatibility with Oracle. OceanBase, with its “single‑node distributed integration” architecture, supports nearly 200 core business systems including large state‑owned banks. In the May procurement market, Kingware became the first choice for core asset upgrades at traditional large institutions due to its “low‑risk, smooth transition” characteristics.
· DBA Perspective: The domestic database landscape is moving from “a hundred flowers blooming” to “concentration among leaders.” The window for DBAs to choose their technology stack is narrowing. If your skills remain outside the five leaders, your “bargaining power” in Xinchuang projects will be gradually diluted. It is recommended to deeply master at least one or two of these five vendors, while paying attention to their differences in the “multi‑modal convergence” path – Kingware dominates in government‑enterprise depth, OceanBase leads in financial cores, Dameng is stable in centralised compatibility, TiDB has global influence in the open‑source ecosystem, and PolarDB continues to invest in cloud‑native directions.
· CTO Perspective: The “zero change in rankings” is a sign of market maturity. The moats of leading vendors in key industries are becoming increasingly solid. When making Xinchuang selections, technology decision‑makers can focus on the first tier of five vendors, but need to make differentiated matches based on business scenarios (financial high‑frequency transactions vs. government high compatibility vs. internet elastic scaling).
· Investor Perspective: The technical approaches of the five leaders have their own focuses, but each has formed irreplaceable advantages in its “home base.” It is recommended to evaluate the long‑term value of each vendor from three dimensions: “depth of multi‑modal convergence,” “penetration rate in key industries,” and “ability to go global.” The market has shifted from competing on “customer count” to competing on “core system share.” Vendors capable of replacing critical systems in finance, energy, and government will gain significant valuation premiums.
03|China’s First Specialised Policy for Agents Issued: Database Becomes a Core “Security Foundation” for AI Agents
On May 8, the Cyberspace Administration of China, the National Development and Reform Commission, and the Ministry of Industry and Information Technology jointly issued the “Implementation Opinions on Standardised Application and Innovative Development of Agents.” This is the first systematic policy document at the national level with “Agent” as the core theme, marking the official entry of agents from technological exploration into a stage guided by national strategy. The Opinions focus on four major directions: consolidating development foundations, maintaining security bottom lines, strengthening application traction, and building innovation ecosystems. They propose 19 typical application scenarios and set clear requirements for agent product standards, tiered governance, and safety guardrails. Earlier, the State Council set a target of over 70% application penetration rate for agents and other technologies by 2027.
YashanDB was the first to respond, using its AI‑native database foundation to build a secure foundation for enterprise‑level agent deployment. YashanDB achieves unified storage and computation of heterogeneous data – structured data, vector data, JSON, etc. – within a single engine. Through its multi‑modal converged data engine, agents no longer need to act as “data porters” between multiple databases; they can complete cross‑modal hybrid search in milliseconds via a unified SQL interface. At the same time, YashanDB launched the industry’s first enterprise‑level agent governance solution, YashanClaw, which natively constructs a four‑dimensional security system at the database foundation: infrastructure security, data security, behavioural security, and compliance security. A single YashanDB instance can support up to 8,192 data sandboxes, fully isolating the operating space of each agent. Earlier, YashanDB successfully went live on the core business system of Kaspi Bank in Kazakhstan, completing the leap from “domestic benchmark” to “international recognition.”
· DBA Perspective: The government’s first special policy on agent data infrastructure signals that “agent‑oriented database capabilities” are moving from optional to mandatory compliance requirements. DBAs need to proactively study the access patterns of agent workloads on databases – multi‑tenant isolation, long‑term memory storage, cross‑session context management – and establish audit trails and least‑privilege policies for agents. YashanClaw’s capability of 8,192 data sandboxes provides a reference paradigm: future databases must be able to “dynamically slice” resources for each agent.
· CTO Perspective: The special policy on agents will accelerate large‑scale enterprise‑grade agent application deployment. As the “memory and decision foundation” for agents, a database’s “secure, multi‑modal, auditable” capabilities will become hard selection thresholds. YashanDB’s YashanClaw solution, with its data sandboxes and fine‑grained permission design, provides CTOs with a reference framework for security governance when evaluating agent data foundations.
· Investor Perspective: YashanDB was the first to respond to the special policy on agents and launch the YashanClaw governance solution, seizing an early advantage in the dual‑driver of “policy + technology.” At the same time, YashanDB has completed an overseas core system delivery at Kaspi Bank in Kazakhstan, possessing a dual growth logic of “domestic Xinchuang + global expansion along the Belt and Road.” Capital should focus on database companies with technological accumulation in “data sandboxes” and “agent permission governance” – they will be the first to benefit from the compliance dividends of agent governance regulations.
04|Domestic Time‑Series Database Track Heats Up: Kingware Completes Industrial Time‑Series Core Replacement in 3 Months; Time‑Series Data to Exceed 45% of Global Data Volume
According to IDC forecasts, by 2026, over 45% of globally generated data will originate from time‑series scenarios. This is not simply an increase in volume, but a structural challenge to the underlying mechanisms of storage engines. Kingbase recently disclosed a typical industrial time‑series data migration case: using Kingbase’s ETL tools to fully migrate three years of historical time‑series data to a KingbaseES V9 cluster, establishing a dual‑write mechanism to ensure real‑time consistency verification between old and new systems during migration, and completing data integrity checks with zero loss and zero tampering, achieving 100% coverage. In the time‑series data domain, industry forecasts predict that unstructured log data generated by enterprises will exceed the petabyte level by 2026, and 80% of analytical queries will require sub‑second response times.
At the same time, EsgynDB also demonstrated its distributed database capabilities in helping the financial industry with Xinchuang implementation. Its dual‑database parallel solution allows old and new systems to run concurrently, completing database replacement while ensuring business continuity. Earlier, Vastbase announced a private placement of RMB 702 million, of which RMB 213 million is earmarked for a multi‑modal time‑series database construction project.
· DBA Perspective: Time‑series data is moving from a “niche area” to the “main battlefield” of data. DBAs need to quickly fill their knowledge gaps about time‑series databases – including the underlying design of time‑series storage engines, down‑sampling strategies, and data retention policies. Kingbase’s case of completing a core time‑series replacement in three months provides a real‑world reference for DBAs selecting time‑series databases in industrial IoT and energy dispatch scenarios.
· CTO Perspective: The forecast that time‑series data will exceed 45% of data volume confirms the judgment that “time‑series data is the record of all digital movement processes.” When planning data architecture, CTOs should prioritise databases with multi‑modal convergence capabilities (time‑series + relational + vector) rather than maintaining highly complex architectures that “patch together multiple databases.”
· Investor Perspective: The time‑series database track is facing a “structural” growth inflection point – demand from industrial IoT, connected vehicles, energy dispatch, and other areas is shifting from “optional” to “mandatory.” Vendors with experience in industrial‑scenario time‑series migration and integrated multi‑modal capabilities are likely to capture significant market share in this wave of time‑series data growth.
05|Tencent Cloud Upgrades Converged Innovation Product Matrix: “Data Intelligence Foundation” for the Agent Era Fully Unveiled
At the 2026 Tencent Cloud Convergence Innovation Summit held in Beijing on May 20, Tencent Cloud upgraded and released its converged innovation capability matrix for the Agent era, covering domestic hardware, operating systems, cloud platforms, data platforms, AI engines, agent services, and security services. On May 19, Tencent Cloud had already officially launched DataBuddy, a big data intelligent agent workbench. Using natural language conversations, users can complete the entire data lifecycle – access, development, governance, and analysis – without switching between multiple pages. At the same time, Tencent Cloud open‑sourced TencentDB Agent Memory, providing short‑term memory compression and long‑term personalised memory capabilities for agent long‑task scenarios – long‑term memory was already available for free use last month, and the focus of this open‑source release is short‑term memory compression. Looking ahead to May 29, Tencent Cloud’s “Database + AI” product launch will present for the first time the full AI‑In‑Database strategy, unveiling six core engines including the Agent “memory brain,” database Agent tool suite, and multi‑modal vector hybrid search. The new version of TDSQL, previously released by Tencent Cloud, already achieved a 50% improvement in OLTP performance, a 20‑fold improvement in OLAP, and 99% centralised syntax compatibility.
· DBA Perspective: From open‑sourcing TencentDB Agent Memory to releasing DataBuddy, and soon the AI‑In‑Database launch, Tencent Cloud is building a full‑chain domestic data intelligence closed loop covering “storage → governance → analysis → agents.” DBAs have opportunities to deeply participate – whether designing persistent memory storage solutions for AI applications using Agent Memory, improving data analysis collaboration efficiency with DataBuddy, or optimising agent data access paths using the six core engines. All require DBAs to proactively develop relevant skills.
· CTO Perspective: Tencent Cloud’s data foundation layout for the Agent era has formed a complete picture. Enterprises building agent applications within the Tencent Cloud ecosystem can significantly reduce integration and development costs at the data layer. DataBuddy’s natural language data development capability and the open‑sourced Agent Memory long‑term memory solution are especially suitable for teams that want to quickly launch agent projects with limited human resources.
· Investor Perspective: Tencent Cloud’s intensive investment in AI‑In‑Database and the Agent ecosystem is a strong endorsement of the industry trend of “database as the data foundation for agents.” The May 29 launch is an important window for observing Tencent Cloud’s technical direction and commercialisation progress in the “data + AI” convergence field.
📅 Recent Database Hot Topics Recap
Date Event Core Highlights
May 19 ChromaDB CVE-2026-45829 highest severity vulnerability disclosed 10M‑download vector database, 73% of public instances exposed, no fix for three months
May 19 Tencent Cloud launches DataBuddy big data intelligent agent workbench Natural language drives full data lifecycle; one sentence completes access, development, governance, analysis
May 20 Tencent Cloud Convergence Innovation Summit: upgraded capability matrix for Agent era TDSQL OLTP +50%, OLAP +20x; Agent Memory open‑sourced
May 20 Kingbase discloses 3‑month industrial time‑series core replacement case Dual‑write + 100% integrity verification; time‑series track heats up
May 21 Three national ministries issue first special policy on agents YashanDB first to respond, launches enterprise agent governance solution YashanClaw
May 21 May domestic database popularity ranking released Top ten unchanged; five leaders extend gap advantage
May 29 Tencent Cloud “Database + AI” product launch (upcoming) Debut of six AI‑In‑Database core engines; Agent “memory brain” announced
📌 Issue Summary
News Core Keywords DBA Actions CTO/Decision‑Maker Focus Investor Perspective
ChromaDB critical vulnerability CVE-2026-45829, vector DB remote hijacking, no response for 3 months Mandatory network isolation for vector DBs; audit upstream model sources; establish AI component security scanning Include “security response capability” in AI infrastructure vendor evaluation Enterprise customers will value commercial “backstop capability”; security compliance firms see order growth
Domestic DB competition landscape Five leaders with gap advantage, deep cultivation, multi‑modal convergence Deepen skills in leaders; focus on differentiated paths of Kingware/OceanBase/Dameng/TiDB/PolarDB Focus selection on first tier but match by scenario Shift from “customer count” to “core system share”; key industry penetration drives valuation premium
First special policy on agents Agent policy, data sandbox, YashanClaw, Kaspi Bank global expansion Learn agent multi‑tenant isolation and audit trails; prepare least‑privilege policies for agents Security / multi‑modal / auditable capabilities become hard thresholds for agent data foundation “Domestic Xinchuang + global expansion” dual logic; focus on vendors with data sandbox and agent permission tech
Time‑series DB track heats up Time‑series data >45%, PB‑level logs sub‑second response, 3‑month core replacement Fill knowledge gaps in time‑series engine design, down‑sampling, retention policies; reference industrial cases Prioritise multi‑modal (time‑series+relational+vector) integrated architecture Industrial IoT / connected vehicle demand shifts from “optional” to “must‑have”; integrated multi‑modal vendors expected to gain share
Tencent Cloud Agent data foundation DataBuddy, TencentDB Agent Memory, AI‑In‑Database, six core engines Build skills in agent memory storage, DataBuddy collaboration, agent data access path optimisation Increased integration of Agent ecosystem data foundation; significantly lower costs for enterprise Agent projects May 29 launch is key window to observe Tencent Cloud’s “data+AI” commercialisation progress
HiddenMerit Team Production
Slogan: 绩优隐于内,金石启新程 | Hidden deep. Merit bold. Forge ahead.
No comments yet