# 📊 HiddenMerit Daily · Issue 33
> Focus on Database Frontiers, Practical Insights for DBAs
> May 29, 2026 | 5 Selected Global Breaking News
## 01|Tencent Cloud “Database + AI” Product Launch Today: Debut of Six AI‑In‑Database Core Engines
Today, May 29, 2026, the Tencent Cloud “Database + AI” product launch is taking place at the Hyatt Regency Shanghai, Wujiaochang. The launch will present, for the first time, Tencent Cloud’s strategic layout and comprehensive solutions under the dual‑track path of “DB for AI” and “AI in DB,” with the core theme of achieving deep internalisation and native integration of large models with the database kernel – AI‑In‑Database.
The six core engines unveiled at the launch include:
- Agent “Memory Brain”: Native memory capabilities for AI agents, supporting cross‑session persistent storage;
- Database Agent Tool Suite: Standardising database operations knowledge into Agent Skills;
- Multi‑Modal Vector Hybrid Search: Support for vector, full‑text, and scalar recall and ranking within a single SQL;
- Cloud‑Native Architecture 2.0: Newly designed for the unpredictability of large model training, inference, and agent workloads;
- Exclusive Frost & Sullivan Trend Report Analysis: Analysing the global database + AI market landscape and segmented scenarios;
- Industry‑Academia Collaboration: Exploring cutting‑edge topics at the intersection of databases and AI with top global scholars.
On May 22, Tencent Cloud had already released the PostgreSQL Cloud Disk Edition, which includes capabilities such as pgvector extension enabled by default, DiskANN index productisation, and the in‑database AI function tencentdb_ai, laying a solid technical foundation for today’s launch. Previously, at the Convergence Innovation Summit, Tencent Cloud also released the new TDSQL version (OLTP +50%, OLAP +20x), DataBuddy big data intelligent agent workbench, and the open‑sourced TencentDB Agent Memory.
- DBA Perspective: Today’s launch is a key milestone for DBAs to observe how AI‑In‑Database moves from “concept” to “productisation.” The Agent “Memory Brain” among the six core engines is particularly noteworthy – AI agent access patterns to databases are completely different from those of human DBAs: high‑frequency small batches, cross‑session persistence, multi‑tenant logical isolation. The implementation details of these engines at the launch will directly determine the future operational toolchain and skill set of DBAs. DBAs should focus on the elastic design for agent workloads in Cloud‑Native Architecture 2.0, as well as the actual performance of multi‑modal vector hybrid search.
- CTO Perspective: Tencent Cloud’s data foundation centred on “AI‑In‑Database” covers the full stack from chip adaptation to models to agent services. If the engineering effectiveness of the six engines is truly delivered, enterprise development cycles for agent‑class applications and data integration costs will be significantly reduced. CTOs should make today’s launch a key annual observation event, especially the customer implementation case sharing – case quality will influence technology selection decisions more than concepts themselves.
- Investor Perspective: Tencent Cloud’s intensive investment in the database + AI direction (TDSQL performance doubling, Agent Memory open‑sourced, DataBuddy released, PG Cloud Disk Edition launched), combined with the full unveiling of the AI‑In‑Database strategy today, is building a full‑chain data intelligence closed loop covering “storage → governance → analysis → agents.” The quality of customer cases and technical depth at the launch are core indicators for judging Tencent Cloud’s commercialisation progress in the “data + AI” track.
## 02|Percona Live 2026: OurSQL Foundation Officially Launches, MySQL Community‑Led Era Begins
From May 27 to 29, the open‑source database technology event Percona Live 2026 was held in the Bay Area, USA. The biggest news from this year’s conference is the official launch of the OurSQL Foundation, a 501(c)(6) non‑profit organisation designed to provide a vendor‑independent collaboration platform for MySQL users, developers, and enterprises.
The core objectives of the foundation include:
- Vendor‑neutral governance model: Participation evaluated based on contribution, not vendor position;
- Community‑shared asset management: Including a public vulnerability database, tool portal, and transparent security patch logs;
- Collaboration centre for MySQL’s future development: Representing the entire community, not any single vendor;
- Development of education and training materials: Attracting the next generation of developers to the MySQL ecosystem.
Founding members of the foundation include Percona, PlanetScale, PingCAP, VillageSQL, Alibaba Cloud, and others, as well as independent MySQL expert Jean‑François Gagné. Vadim Tkachenko, co‑founder of Percona and Chair of the foundation, said: “This foundation will provide a platform to promote and support MySQL as a database, fostering collaboration among all those who wish to contribute to the MySQL ecosystem. By bringing the community together under the banner of an independent foundation, we can demonstrate that MySQL has an effective and vibrant future.”
Previously, Oracle had published a blog post committing that “MySQL is the foundation of our data strategy” and remained open to community dialogue.
- DBA Perspective: The official launch of the OurSQL Foundation is a historic moment for the MySQL ecosystem. For DBAs who have long relied on the MySQL ecosystem, this change is worth continuous attention. If the Foundation gains sufficient support from developers and enterprises, the future roadmap of MySQL will no longer be dominated by a single vendor. DBAs are advised to follow the cutting‑edge topics at Percona Live 2026 on the MySQL extension framework and AI‑assisted database development – these technology directions will directly impact the operational toolchain over the next 3‑5 years. Moreover, if the foundation’s public vulnerability database and transparent security patch logs are truly implemented, they will significantly improve DBAs’ ability to perceive the MySQL security landscape.
- CTO Perspective: If the OurSQL Foundation attracts enough resources and contributors, it will provide a more secure technical path for enterprises’ MySQL investments. CTOs with large MySQL technology stacks should closely monitor the foundation’s governance structure and member development, assessing its potential impact on long‑term technology planning. CMU Andy Pavlo’s opening keynote on “Developing and Optimising Database Systems Using Large Language Models” is also worth attention – AI is changing the development paradigm of database kernels.
- Investor Perspective: The OurSQL Foundation is essentially a countermeasure by the open‑source community against the vendor‑led development model. If the Foundation receives support from key enterprise users and cloud vendors, it will gain stronger influence over the governance and evolution direction of the MySQL ecosystem – a positive for related publicly listed companies like MariaDB and for cloud vendors whose core technology stack relies on MySQL’s open‑source capabilities. Alibaba Cloud’s participation as a founding member also demonstrates that Chinese enterprises are playing an increasingly active role in global open‑source ecosystem governance.
## 03|dotCMS Critical SQL Injection CVE-2026-8054: Read, Write, Delete Any Database Content Without Authentication
On May 27, security researchers disclosed a critical SQL injection vulnerability in the core system of dotCMS, numbered CVE-2026-8054, affecting versions 25.11.04‑1 through 26.04.28‑02. Affected endpoints include /api/auditPublishing/get and /api/auditPublishing/getAll.
The core issue is that these two API endpoints neither enforce authentication nor adequately sanitise user input, directly concatenating unsanitised input into dynamic SQL statements. A remote unauthenticated attacker can exploit this vulnerability to read, modify, or delete arbitrary database content. CISA analysis indicates that the vulnerability is “fully automatable with a full technical impact.”
The vulnerability has been fixed in dotCMS Core version 26.04.28‑03, where access to the affected endpoints requires an authenticated backend user with publishing-queue portlet permissions. LTS versions are not affected – the vulnerable code path was never backported to LTS versions.
- DBA Perspective: CVE-2026-8054 is a textbook case of a critical vulnerability – missing authentication + SQL injection, two fatal defects叠加. As an enterprise‑grade content management system, dotCMS’s audit publishing API endpoints are accessible without authentication and directly拼接 user input into SQL, essentially hanging a “welcome intruders” sign on the database door. Users of affected versions must upgrade immediately to version 26.04.28-03 or higher. The fact that LTS versions are not affected also reminds DBAs: when selecting technology, prioritise LTS versions, which typically have more mature security audit and patch management processes. At the same time, DBAs are advised to work with security teams to enforce authentication checks on all API endpoints exposed to the public internet.
- CTO Perspective: The dotCMS vulnerability again confirms that “API security is the outpost of data security.” Two audit publishing API endpoints exposed to the public internet without authentication reflect a common security design flaw – development teams assume “these interfaces won’t be accessed externally,” but attackers scan every exposed endpoint. CTOs should establish an API security baseline: all API endpoints require authentication by default unless there is a clear architectural reason for an exception, and exceptions must go through security review.
- Investor Perspective: API security vulnerabilities in “data‑intensive applications” such as enterprise‑grade CMS, low‑code platforms, and BI tools are becoming a key breakthrough point for attackers. These platforms typically have direct read‑write access to backend databases. Once the API is compromised, core data assets are directly exposed. Security companies providing API security scanning, runtime protection, and vulnerability management services will benefit from the continued growth of enterprise application security spending.
## 04|CETC Kingware Discloses Head Securities Firm Core System “Heart Replacement” Record: Zero‑Downtime Migration, RTO < 30 Seconds
On May 28, CETC Kingware published a technical article titled “Record of Core System ‘Heart Replacement’ at a Head Securities Firm: Zero‑Downtime Migration to KingbaseES V9.” The article details the complete process of migrating a head securities firm’s core trading system from a traditional database to KingbaseES V9. The firm handles massive daily trading volumes and faces extreme concurrency pressure in pre‑market, intra‑day, and post‑market periods. The core requirement for the migration was achieving “zero downtime.”
Migration results were impressive:
| Metric | Before Migration | After Migration (KingbaseES V9) | Change |
|--------|-----------------|-------------------------------|--------|
| Trading Response Latency | 45ms avg | 32ms avg | +29% |
| System Throughput | 12,000 TPS | 18,000 TPS | +50% |
| Recovery Time (RTO) | 15 minutes | <30 seconds | -97% |
| Data Consistency Check | Manual sampling | Full automatic verification | Qualitative leap |
The article notes that the technical team conducted over 50 simulation switchover drills, each accurate to the second. Ultimately, during a low‑traffic period, the primary‑standby switchover was completed via automated scripts, without any perceptible impact on normal trading. The article emphasises: “True ‘zero downtime’ does not rely on the perfection of a single technology, but on the extreme insight into business peak‑valley patterns and the organic combination of phased disaster recovery drills.”
Previously, CETC Kingware also disclosed a domestic replacement case for a state‑owned bank’s core system, achieving results including a reduction in core transaction average response time from 120ms to 85ms (+29%), RTO shortened from 4 hours to 15 minutes (-93%), and single‑node TPS increased from 5,000 to 8,500 (+70%).
- DBA Perspective: The reduction of core system RTO from 15 minutes to under 30 seconds at a head securities firm is highly compelling real‑world data. For DBAs, this means that the high availability capability of domestic databases in financial core scenarios has reached international mainstream levels. The “50 switchover drills” and “phased disaster recovery drill” methods mentioned in the article are worth learning for DBAs doing core system migrations – the key to success lies not in the technology itself, but in precise insight into business rhythms and thorough drill preparation. The dual case validation from both a state‑owned bank and a head securities firm provides a powerful reference for DBAs in financial Xinchuang technology selection.
- CTO Perspective: The securities industry demands “millisecond‑level response and zero tolerance for interruption” from trading systems. The average 32ms latency and 30‑second RTO achieved by KingbaseES V9 in a real production environment prove that domestic databases are fully capable of carrying core securities trading systems. The core innovation of the “application‑transparent migration paradigm” described in the article – business logic code modification rate below 5% – significantly reduces the implementation risk and technical threshold for domestic replacement of core systems.
- Investor Perspective: “Zero‑downtime” migration cases at head securities firms and state‑owned banks are the scarcest commercial moats for domestic database vendors. The accumulation of such “financial‑grade” benchmark cases directly translates into order premiums in the deep‑water Xinchuang replacement. By successively disclosing core system migration cases from both banking and securities sub‑sectors, Kingware is rapidly moving forward in the financial Xinchuang track.
## 05|OceanBase Passes CAICT Vector Database Full Test, Integrated AI Data Foundation Receives Another Authoritative Certification
On May 26, the China Academy of Information and Communications Technology (CAICT) officially announced the first half of 2026 batch of “Trustworthy Database” test results. OceanBase database software successfully completed all test items for vector database basic capabilities, passing 47 test items (27 mandatory + 20 optional) across seven capability domains: basic functionality, operations management, security, compatibility, scalability, high availability, and tool ecosystem.
The test was conducted according to the “Technical Requirements for Vector Databases” (T/CCSA 573-2024). This standard, jointly developed by CAICT under the Big Data and Blockchain Working Group of the China Communications Standards Association and the Big Data Technology Standard Promotion Committee, together with over 50 industry experts, is the industry’s first vector database technical standard and has become a benchmark for vector database technology development and product selection.
OceanBase uses a single database to simultaneously handle three workloads: transactions, analytics, and AI inference, helping enterprises simplify complex data stacks into a unified intelligent data foundation. Previously, OceanBase topped the May 2026 China Database Popularity Ranking with a score of 830.74.
- DBA Perspective: OceanBase passing CAICT’s full vector database test marks that domestic databases have completed authoritative standard certification for “AI workload support capability.” For DBAs, this means that managing both structured transactional data and unstructured vector data within the same database system will become the norm. DBAs are advised to focus on OceanBase’s multi-modal convergence architecture – when vector retrieval and transaction processing are completed within the same engine, the DBA’s focus will shift from “maintaining data consistency across multiple systems” to “optimising cross-modal query execution plans.” The 47 test items also provide DBAs with a quantifiable evaluation framework for vector database selection.
- CTO Perspective: CAICT’s vector database standard is the industry’s first authoritative standard. OceanBase passing all tests demonstrates its technical maturity for AI workload scenarios. For CTOs planning data architectures for AI applications, an integrated foundation can significantly reduce the operational complexity and data movement costs of multi-component integration.
- Investor Perspective: Following OceanBase’s continued top ranking in DB-Engines China Database Popularity, receiving CAICT authoritative certification provides dual endorsement of its technology leadership in the AI‑Native database direction. Capital markets should continue to monitor the cadence of OceanBase’s commercial orders in AI scenarios.
## 📅 Recent Database Hot Topics Recap
| Date | Event | Core Highlights |
|------|-------|-----------------|
| May 26 | OceanBase passes CAICT vector database full test | All 47 test items passed; integrated AI data foundation receives another authoritative certification |
| May 27-29 | Percona Live 2026 held in USA | OurSQL Foundation officially launches; MySQL community‑led era begins |
| May 27 | dotCMS CVE-2026-8054 critical vulnerability disclosed | API without authentication, R/W/D any DB content; LTS versions unaffected |
| May 28 | Kingware discloses head securities firm core system migration case | RTO reduced from 15 minutes to <30 seconds; zero‑downtime migration |
| May 28 | Kingware discloses state‑owned bank core system migration results | TPS +70%, RTO -93%; business logic code modification rate <5% |
| May 29 | Tencent Cloud “Database + AI” product launch (today) | Debut of six AI‑In‑Database core engines; Agent‑era data foundation final unveiling |
## 📌 Issue Summary
| News | Core Keywords | DBA Actions | CTO/Decision‑Maker Focus | Investor Perspective |
|------|---------------|-------------|--------------------------|----------------------|
| Tencent Cloud DB+AI launch | AI‑In‑Database, six core engines, Agent memory brain | Focus on technical details of Agent “Memory Brain”; prepare for AI Agent O&M scenarios | If engineering effectiveness of six engines lands, will compress Agent development cycles | Quality of customer cases at launch is bellwether for Tencent Cloud’s data+AI commercialisation |
| OurSQL Foundation launch | MySQL community‑led, vendor‑neutral, Percona Live 2026 | Pay attention to MySQL ecosystem governance changes; learn AI‑assisted database kernel development | Foundation development affects MySQL long‑term roadmap; AI changes DB development paradigm | Community‑led model affects valuation of MariaDB and related ecosystem companies |
| dotCMS SQL injection CVE-2026-8054 | API without authentication, arbitrary R/W/D, LTS unaffected | Upgrade immediately to 26.04.28-03; prioritise LTS versions; check authentication on all public API endpoints | Establish API security baseline: all endpoints require authentication by default | API security scanning and runtime protection companies benefit from application security spending growth |
| Kingware securities core system migration | Head securities firm zero downtime, RTO<30s, 50 switchover drills | Learn “phased disaster recovery drill” method; incorporate business rhythm insight into migration assessment | Core system domestic replacement validation complete; business logic code modification rate <5% | “Zero‑downtime” financial core cases are the scarcest commercial moat |
| OceanBase passes CAICT vector test | Vector DB standard, 47 items passed, integrated AI foundation | Learn cross‑modal query tuning under multi‑modal convergence architecture; focus on 47‑test evaluation framework | Authoritative certification reduces AI workload DB selection risk | Technical certification + popularity top ranking; AI‑Native DB commercialisation progress anticipated |
> HiddenMerit Team Production
> Slogan: 绩优隐于内,金石启新程 | Hidden deep. Merit bold. Forge ahead.
No comments yet