📊 HiddenMerit Daily · Issue 28
Focus on Database Frontiers, Practical Insights for DBAs
May 23, 2026 | 5 Selected Global Breaking News
01|Financial Xinchuang Accelerates Again: Database Transformation Projects at Shaoxing Bank and Linshang Bank Intensively Land
On May 22, the 2026 database transformation and virtualisation platform expansion software and hardware procurement project of Shaoxing Bank announced its winning bid, covering multiple lots including Xinchuang servers and Huawei virtualisation software licenses. On the same day, the winning result of Package B of Linshang Bank’s Xinchuang centralised database procurement project was also announced, marking that the core system domestic replacement of this Shandong local bank has entered the substantive delivery stage. The Xinchuang procurements of Shaoxing Bank and Linshang Bank are not isolated cases. China Communications Construction Group Co., Ltd.’s 2026 autonomous‑control database procurement project completed evaluation on May 22, with a transaction amount of RMB 259,200. Guangxi Digital Jinfu Technology Co., Ltd. also announced the winning result of its domestic basic suite procurement project on the same day, covering domestic operating systems, domestic databases, and domestic middleware. On the same day, a centralised procurement project for domestic databases also announced its bid candidates, with three enterprises including Digital China and Beijing Tiancheng Likong selected, with bid quotations ranging from RMB 128,000 to 153,500. On May 22 alone, Xinchuang database procurements in multiple key sectors such as finance, communications, and digital government intensively landed, significantly increasing the depth and breadth of large‑scale domestic database replacement.
· DBA Perspective: The multiple finance, communications, and government Xinchuang procurement announcements intensively disclosed on the same day on May 22 send a clear “talent demand amplification signal” to DBAs. The database transformation projects at Shaoxing Bank and Linshang Bank mean that the core business systems of local banks are being batch‑migrated to domestic databases. DBAs should view these regional financial Xinchuang projects as career springboards – mastering practical operations and migration experience for leading domestic databases such as Dameng, OceanBase, and GaussDB will be highly valuable hard currency in bank IT outsourcing and fintech over the next two years. DBAs are advised to proactively learn the “dual‑track migration” and “data consistency verification” technical solutions of domestic databases to meet the stringent zero‑data‑loss requirements of financial Xinchuang projects.
· CTO Perspective: The Xinchuang procurements at Shaoxing Bank and Linshang Bank, together with the centralised procurements in the communications and digital finance sectors, indicate that Xinchuang replacement has moved from “pilot projects at leading institutions” to “deepening into local areas” across the board. When planning technology roadmaps, CTOs should include domestic databases as a regular option in architecture design. It is particularly noteworthy that these projects generally require a full‑stack replacement of “domestic OS + domestic database + domestic middleware,” meaning that database selection must complete a compatibility adaptation closed loop within the overall Xinchuang ecosystem.
· Investor Perspective: The intensive implementation of multiple finance, communications, and government procurement projects on May 22 is direct evidence that the Xinchuang industry is shifting from “policy‑driven” to “regular procurement.” Sustained budget investment from financial institutions and local governments provides stable revenue growth support for domestic database vendors. On the secondary market, close attention should be paid to the order cadence of leading vendors represented by Dameng, Kingware, and OceanBase in the finance and local government sectors – order density and amount are leading indicators for judging market share changes.
02|Alibaba Cloud PolarDB AI Assistant Officially Released: Making Large Models the “O&M Partner” for DBAs
On May 22, Alibaba Cloud officially released the alibabacloud‑polardb‑ai‑assistant, an intelligent O&M plugin that combines database operations expertise with large model reasoning capabilities, supporting PolarDB for MySQL and PostgreSQL. The assistant provides over 20 O&M capabilities – including performance diagnosis, fault troubleshooting, and parameter optimisation – through natural language interaction, strictly adhering to a read‑only, no‑write principle for safety and control. Users simply input natural language into the AI Agent client, such as “analyse performance issues of cluster pc‑xxx in the last hour,” and the system automatically pulls monitoring metrics, slow SQL logs, and execution plans, then provides diagnostic recommendations.
Its technical architecture follows the design philosophy of “making the AI Agent think and act like a DBA.” The interaction layer supports multi‑turn natural language conversations; the invocation layer securely calls APIs through the DAS plugin of Aliyun CLI; the engine layer deeply understands the PolarDB kernel architecture (read‑write separation, IMCI columnar storage, Serverless elasticity, etc.); and the data layer strictly follows the RAM permission system and does not execute any DDL/DML operations. This capability is packaged as a standard Agent Skill, published on the Alibaba Cloud Agent Skills portal, and can be loaded and invoked by any compatible AI Agent client, truly integrating intelligent database O&M capabilities into the daily workflow of developers.
· DBA Perspective: The launch of the PolarDB AI Assistant marks that “AI taking over daily database operations” has moved from concept to usable product. For DBAs, this means that much of the daily monitoring, slow SQL analysis, and parameter optimisation will be achievable through natural language conversations. However, DBAs will not be replaced; their role will evolve into “AI O&M policy managers” – defining monitoring baselines, auditing AI diagnostic conclusions, and handling complex anomalies beyond AI coverage. DBAs should proactively experience such AI O&M tools and treat AI as an efficiency lever rather than a threat.
· CTO Perspective: Alibaba Cloud packaging expert experience with large models into Agent Skills effectively “productises” and “reuses” database O&M knowledge. This reduces the difficulty and cost of cultivating high‑level DBAs, especially for small and medium‑sized teams with limited database operations staff. However, technical decision‑makers must pay attention to the “black‑box” risk of AI assistants – validation mechanisms for AI‑generated optimisation suggestions should be in place.
· Investor Perspective: The PolarDB AI Assistant is an important step by Alibaba Cloud in extending “database + AI” from kernel optimisation to intelligent operations. This will enhance PolarDB’s competitiveness in the enterprise market and create differentiation against competing products. Investors should monitor the effectiveness of such AI O&M tools in improving the paid conversion rate of cloud databases.
03|New Landscape of Domestic Database Competition: The Gap Advantage of the Five Leaders Continues to Widen, Critical Sector Replacement Enters Deep Water
In May 2026, the domestic database market landscape further differentiated. According to industry observations, five vendors – CETC Kingware, OceanBase, TiDB, Dameng, and PolarDB – form the leading camp, with a clear gap advantage in technology maturity and commercial deployment scale. In critical application areas related to national infrastructure, traditional database vendors like CETC Kingware, with their high sales volumes and deep government‑enterprise trust, run neck‑and‑neck with internet cloud vendors. Kingware KES, through its “single kernel, multi‑modal” architecture, supports eight data models including relational, document, time‑series, spatial, and vector within the same kernel, with over 95% PL/SQL compatibility with Oracle. OceanBase, with its “single‑node distributed integration” architecture, supports nearly 200 core business systems, including several large state‑owned banks.
The focus of database industry competition has shifted from pure performance benchmarking to the depth of adaptation to complex business scenarios and full‑stack autonomous capability. Some analyses indicate that the market size of AI‑native databases will exceed RMB 8 billion in 2026. AI is not only optimising traditional modules such as query optimisers and index management but also giving rise to new capabilities like vector search and time‑series prediction.
· DBA Perspective: The widening gap advantage of the top five vendors means that DBAs’ window for skill choice is narrowing. If your skills remain outside these five, your bargaining power in Xinchuang projects will be gradually diluted. It is recommended to deeply master at least two of them – choose Kingware for government/enterprise (high compatibility, multi‑modal convergence), OceanBase for financial cores (distributed strong consistency), and PolarDB for cloud‑native directions. Meanwhile, the technical approaches of the five differ; DBAs can plan their skill reserves according to the mainstream choices in their industry.
· CTO Perspective: The moats of the five leaders have shifted from “performance parameters” to “depth of ecosystem adaptation” and “penetration rate in key industries.” When making Xinchuang selections, CTOs should shift evaluation focus from benchmark tests to three dimensions: first, syntax compatibility with legacy Oracle/MySQL applications; second, the number of large‑scale implementation cases in target industries; and third, support for AI scenarios such as multi‑modal (vector, time‑series, spatial) capabilities.
· Investor Perspective: The five leaders occupy the majority of incremental market share in the domestic database market, forming a “the strong get stronger” competitive landscape. Investment logic should shift from “spreading bets” to “selecting leading players,” focusing on vendors with continuously increasing penetration in key industries such as finance, energy, and government. The data indicating that the AI‑native database market will exceed RMB 8 billion suggests that vendors with “multi‑modal convergence” capabilities will be in a stronger position in the next round of valuation restructuring.
04|Tencent Cloud “Database + AI” Launch Countdown: Agent‑Era Data Foundation Enters Final Stage
Only six days remain until the Tencent Cloud “Database + AI” product launch on May 29. This launch will present, for the first time, Tencent Cloud’s complete technical achievements in the “AI‑In‑Database” direction, unveiling six core engines covering cutting‑edge capabilities such as the Agent “memory brain,” database Agent tool suite, and multi‑modal vector hybrid search. Earlier, on May 20, at the Convergence Innovation Summit, Tencent Cloud had already released its data intelligence foundation for the Agent era, including the DataBuddy big data intelligent agent workbench and the open‑sourced TencentDB Agent Memory.
Before the launch, Tencent Cloud has intensively released technical signals: six papers were accepted at the top database conference ICDE 2026, achieving breakthroughs in HTAP column caching, NL2SQL recall rate improvement, and other areas. Tencent Cloud’s TDAI (Tencent Database AI Service) has also been launched, providing precise context for agent decision‑making through long‑term memory and deep retrieval. From DBbrain’s AI Skill transformation to DatabaseClaw’s four‑layer security depth, Tencent Cloud’s “Database + AI” puzzle is rapidly converging – May 29 will be the full unveiling of this strategy.
· DBA Perspective: The May 29 launch is a key milestone for DBAs to observe how AI‑In‑Database moves from “concept” to “productisation.” Of particular interest is the fact that AI Agent access patterns to databases are completely different from those of human DBAs – high‑frequency small batches, cross‑session persistence, multi‑tenant logical isolation. The implementation details of the six core engines at the launch will directly impact the future operational toolchains and skill sets of DBAs.
· CTO Perspective: Tencent Cloud’s data foundation centred on “AI‑In‑Database” covers the full stack from chip adaptation to models to agent services. If the engineering effectiveness of the six engines is truly delivered, enterprise development cycles for agent‑class applications and data integration costs will be significantly reduced. Technology decision‑makers are advised to make the May 29 launch a key Q2 observation event, especially the technical details of the “memory brain” and “multi‑modal vector hybrid search.”
· Investor Perspective: Tencent Cloud’s intensive investment in the “database + AI” direction is a key strategic move from “cost optimisation” to “technology brand premium.” The May 29 launch is an important window for observing the commercial conversion efficiency of this strategy, with special attention to customer implementation case sharing at the launch – case quality will influence market valuation more than concepts themselves.
05|Week’s Database Security Vulnerabilities Focus: MariaDB Use‑After‑Free, Devolutions Server Privilege Bypass
On May 22, multiple database security vulnerabilities were intensively disclosed. MariaDB (through version 10.5.9) has a use‑after‑free vulnerability in convert_const_to_int, which can be triggered when using the BIGINT data type. The vulnerability has a CVSS v3 score of 7.5 (high risk), is remotely exploitable, and public exploit code exists. Unity Linux has released security update UTSA-2026-021663 to address the issue. Additionally, the Vault Import function in Devolutions Server 2026.1.16.0 and earlier has an authorisation validation vulnerability (CVE-2026-9223), with a CVSS score of 6.3. A low‑privilege authenticated user can create a new vault through a crafted import request. Hibernate ORM multiple versions (before 5.3.18, before 5.4.18, before 5.5.0.Beta1) have also been found to have security flaws. STAR software has an SQL injection vulnerability (CVE-2026-25606) and a weak password encoding algorithm issue (CVE-2026-25607).
· DBA Perspective: The use‑after‑free vulnerability in MariaDB again warns DBAs that memory safety issues in database kernels are becoming a primary breakthrough point for attackers. Users still running MariaDB 10.5.9 or earlier are strongly advised to upgrade immediately. At the same time, Hibernate ORM, as a widely used ORM framework in the Java ecosystem, its security flaws imply potential risks for many Java‑based data applications. DBAs should work with application security teams to identify the versions and dependencies of Hibernate ORM in production environments and schedule upgrade windows for vulnerable versions.
· CTO Perspective: Within a week, multiple database‑related components were exposed with high‑risk vulnerabilities – from MariaDB to Hibernate ORM to Devolutions Server – covering the full chain of database kernel, ORM framework, and database management tools. This reminds CTOs that a three‑layer security scanning mechanism for “database + ORM + management tools” must be established, with vulnerability remediation included as a mandatory gate in quarterly security baselines.
· Investor Perspective: Security risks in the data infrastructure supply chain are accelerating, from database kernels to ORM middleware to management platforms – every layer can become an attack entry point. This provides sustained market growth for security scanning, vulnerability management, and compliance auditing service providers. Companies that can cover full‑stack “database + application framework” security detection capabilities will occupy a stronger competitive position in enterprise security budgets.
📅 Recent Database Hot Topics Recap
Date Event Core Highlights
May 22 Multiple financial institutions including Shaoxing Bank and Linshang Bank intensively land Xinchuang procurements Domestic database replacement in local financial systems enters deep water
May 22 Alibaba Cloud PolarDB AI Assistant officially released 20+ O&M capabilities, natural language‑driven intelligent O&M
May 22 MariaDB 10.5.9 use‑after‑free vulnerability disclosed CVSS 7.5 high risk, remotely exploitable, public exploit code exists
May 22 Devolutions Server CVE-2026-9223 privilege bypass vulnerability Low‑privilege authenticated user can create a new vault
May 22 Domestic database competition landscape analysis: gap advantage of five leaders widens Industry competition shifts from performance benchmarking to scenario adaptation depth
May 29 Tencent Cloud “Database + AI” product launch (6 days countdown) Debut of six core engines; Agent‑era data foundation final unveiling
📌 Issue Summary
News Core Keywords DBA Actions CTO/Decision‑Maker Focus Investor Perspective
Financial Xinchuang intensively lands Shaoxing Bank, Linshang Bank, local financial Xinchuang Develop skills in dual‑track migration and data verification for domestic DBs; adapt to zero‑data‑loss requirements Establish full‑stack compatibility mechanism for domestic OS + DB + middleware Financial Xinchuang shifts from policy‑driven to regular procurement; order density leads share changes
PolarDB AI Assistant released Natural language O&M, 20+ capabilities, Agent Skill Treat AI as efficiency lever; role evolves from “manual O&M” to “AI policy manager” Reduces DBA training costs for small teams; focus on validation mechanisms for AI suggestions DB+AI extends to intelligent O&M; enhances cloud DB paid conversion rate
New domestic DB competition landscape Five leaders’ gap advantage, multi‑modal convergence, AI‑native Deepen skills in leading domestic DBs; differentiate based on industry (government/finance/cloud‑native) Shift evaluation focus from performance to ecosystem adaptation depth and industry penetration Investment logic shifts from “spreading bets” to “selecting leaders”; multi‑modal capability becomes valuation factor
Tencent Cloud DB+AI launch countdown AI‑In‑Database, six core engines, Agent memory brain Pay attention to launch technical details; prepare for AI Agent O&M scenarios If engineering effectiveness of six engines lands, will compress Agent development cycles Launch’s technical depth and customer case quality are valuation bellwethers
Week’s DB security vulnerabilities MariaDB use‑after‑free, Hibernate ORM flaws, Devolutions privilege bypass Upgrade MariaDB to safe version; inventory Hibernate ORM versions Establish three‑layer security scanning mechanism for DB + ORM + management tools Full‑stack security detection capability providers will gain stronger position in enterprise security budgets
HiddenMerit Team Production
Slogan: 绩优隐于内,金石启新程 | Hidden deep. Merit bold. Forge ahead.
No comments yet