# 📊 HiddenMerit Daily · Issue 35
> Focus on Database Frontiers, Practical Insights for DBAs
> June 2, 2026 | 5 Selected Global Breaking News
## 01|Tencent Cloud Database Fully Enters AI‑Native 3.0 Era: Taking Agents as New Users, Reshaping Database Capabilities
On May 29, Tencent Cloud officially announced in Shanghai that its database product system has been fully upgraded for agent scenarios, delivering over ten technical innovations across three major use cases: agent applications, AI‑assisted programming, and intelligent operations. Wang Yicheng, Vice President of Tencent Cloud, stated that databases are moving toward the AI‑Native 3.0 era, “taking agents as new users to redesign database products and capability systems.”
Core technical innovations in this upgrade:
- Agent Memory: One of the industry’s first agent memory services to propose the concept of “team memory,” building a four‑layer memory architecture (L0 raw session records → L1 atomic information vector index → L2 scenario‑based markdown files → L3 personal characteristic沉淀). The dual‑track design of “human‑readable, agent‑usable” increases task success rates in long‑task scenarios by 30% and saves up to 60% in token costs. In the PersonaMem evaluation, OpenClaw’s long‑term memory score jumped from 48% to 76% . The open‑source version gained over 4,000 GitHub Stars within one week of release.
- TDSQL‑B architectural refactoring: Unifies four engine types – transaction, vector, full‑text, and graph computing – into a single distributed foundation, natively supporting multi‑modal hybrid search and managing heterogeneous data sources such as MySQL, PostgreSQL, MongoDB, Redis, and COS. A game publisher no longer needs to build separate heterogeneous systems for different data types. According to the “2026 Asia‑Pacific Gaming Industry Database Market Report” jointly released by Frost & Sullivan and Toubao Research Institute, Tencent Cloud MongoDB has achieved “triple first” in the Asia‑Pacific gaming industry: market share, growth rate, and comprehensive technology.
- TDSQL‑C database branching: Reduces 1TB database replication from hours to second‑level “forking,” enabling each agent to quickly obtain an isolated environment consistent with production. Combined with serverless second‑level startup and idle‑to‑zero capabilities, it precisely matches the long‑tail load pattern of AI programming: high‑frequency creation, low‑frequency usage.
- Hunyuan large model integrated into the optimiser: Reduces the average latency of “slow SQL” by over 60% .
Luo Yun, Deputy General Manager of Tencent Cloud Database, explained that load isolation uses a distributed multi‑node architecture, with independent AI nodes carrying LLM inference, essentially making it an HTAP system load isolation problem. For migration, the DTS platform uses an N+N migration logic rather than N×N, supporting gradual evolution by shard or by underlying data isolation. For cost, the AI node based on a MoE architecture only needs to activate 3B parameters, combined with cloud model pool sharing and inference acceleration, aiming to achieve order‑of‑magnitude token cost optimisation.
Internally at Tencent, these capabilities have already been deployed at scale in AI products such as Yuanbao, QClaw, CodeBuddy, and Claw Pro. From Ping An Bank completing a full‑stack domestic replacement of operating system, chip, and database, to the Hunyuan large model reducing the average latency of “slow SQL” by over 60% – Tencent Cloud is proving that domestic replacement and AI‑native development are not parallel lines, but dual evolutions on the same technology foundation.
- DBA Perspective: Tencent Cloud’s repositioning of “agents as new users” represents a paradigm shift in the database industry. Agent Memory’s “team memory” concept means that enterprise operations knowledge can be systematically沉淀 and reused. DatabaseClaw frees DBAs from tedious cross‑console troubleshooting. Integrating the Hunyuan large model into the optimiser reduces slow SQL latency by 60% – this is not incremental optimisation, but a fundamental reshaping of the database kernel by AI. The DBA role is shifting from “hand‑writing SQL optimisation” to “training and tuning AI optimisation strategies.”
- CTO Perspective: This upgrade covers the entire chain from underlying architecture (TDSQL‑B unified multi‑modal foundation), development efficiency (database branching second‑level forking), to operational intelligence (DatabaseClaw). For CTOs planning data architectures for AI applications, multi‑modal hybrid search and Agent Memory directly solve the most challenging problems for agent applications: long‑term memory and multi‑modal data management. The large‑scale deployment within Tencent’s internal products validates technical maturity.
- Investor Perspective: Tencent Cloud’s intensive investment in the database+AI direction (previously TDSQL OLTP +50%, OLAP +20x), combined with this AI‑Native 3.0 upgrade, is building a full‑chain data intelligence closed loop covering “storage → governance → analysis → agents.” Ping An Bank’s full‑stack domestic replacement and the large‑scale deployment of internal AI products are core bellwethers for judging commercialisation progress.
## 02|National Phase IV Security and Reliability Evaluation Results Announced: 23 Products from 16 Vendors Selected, Dameng Becomes the Only Vendor with Grade II in Both Categories
On May 26, the China Information Security Evaluation Center and the National Secrecy Science and Technology Evaluation Center jointly released the “Security and Reliability Evaluation Results Announcement (2026 No. 2),” conducted in accordance with the “Security and Reliability Evaluation Guidelines V3.0” with a validity period of three years. The evaluation covers 8 centralised databases and 15 distributed databases, totalling 23 products from 16 vendors.
Centralised Databases: Dameng Database Management System V9 achieved Grade II (the highest level). The remaining 7 products all received Grade I, including Alibaba Cloud PolarDB (MySQL Edition) V2.0, OceanBase (Centralised Edition) V4, and Huawei Cloud TaurusDB V3.0.
Distributed Databases: A total of 15 products were selected. Dameng Database Management System (Distributed Edition) V9, YashanDB Distributed Database Management System V23, GaussDB V3.0 (Distributed Edition), and GoldenDB V7 received Grade II. The remaining 11 products received Grade I, including TimechoDB V2.0, Alibaba Cloud AnalyticDB for PostgreSQL V2.0, GBase 8c V6, ArgoDB V6, and DolphinDB V2.0.
YashanDB passed evaluation for both centralised and distributed forms within a single year, becoming one of the youngest Grade II recipients. Dameng is the only vendor to achieve Grade II in both centralised and distributed tracks, forming the first tier of domestic database Xinchuang evaluation together with Huawei Cloud (GaussDB Distributed Grade II + TaurusDB Centralised Grade I).
- DBA Perspective: Dameng becoming the only dual‑track Grade II vendor is an important reference signal for DBAs in Xinchuang selection. Grade II (the highest security and reliability level) means that the product has passed national authoritative certification in architecture design, security mechanisms, disaster recovery capability, and other dimensions. YashanDB passing evaluation for both forms within a single year is also worth including in DBAs’ technology储备视野. For DBAs planning Xinchuang projects in highly regulated industries such as finance and government, the National Phase IV list should serve as an “access list” for selection.
- CTO Perspective: Dameng’s dual‑track Grade II, YashanDB’s rapid evaluation passing, and Huawei Cloud and ZTE achieving Grade II in the distributed track indicate that the overall maturity of domestic databases in terms of security and reliability has significantly improved. When making Xinchuang technology selections, CTOs can use the National Phase IV list as an “access reference” for the security baseline, but specific selection should still comprehensively evaluate based on business scenarios (centralised vs distributed) and industry cases.
- Investor Perspective: The National Phase IV evaluation is a “birth permit” for Xinchuang procurement – selected products are qualified to participate in national‑level Xinchuang projects. Dameng’s dual‑track Grade II certification further consolidates its competitive position in core scenarios such as finance and government. YashanDB’s rapid evaluation passing is also worth attention; the research background of its parent company, the Shenzhen Institute of Computing Sciences, may become a catalyst for accelerated commercialisation.
## 03|Oracle May 2026 CPU Released: Net Service Component Exposes CVE-2026-46833 (CVSS 9.0), REST Data Services Hardest Hit
On May 27, Oracle released its May 2026 Critical Patch Update (CPU), involving high‑risk vulnerability fixes across multiple product families.
The highest‑rated vulnerability in this CPU is CVE-2026-46840 (CVSS 10.0) , existing in the Backend‑as‑a‑Service component of Oracle REST Data Services, allowing an unauthenticated attacker to compromise Oracle REST Data Services via HTTPS network access.
Oracle REST Data Services became the hardest hit area in this CPU, with multiple high‑risk vulnerabilities disclosed:
- CVE-2026-46775 and CVE-2026-46839 (CVSS 9.9): Core component vulnerabilities allowing a low‑privilege attacker to fully control Oracle REST Data Services.
- CVE-2026-2332 (CVSS 9.1): Core (Eclipse Jetty) component vulnerability allowing an unauthorised attacker to add, delete, or modify critical data without authorisation.
Oracle Database Server Net Service Component:
- CVE-2026-46833 (CVSS 9.0): Affects versions 23.4.0 to 23.26.2. Attack complexity is high, but allows an unauthenticated attacker to compromise Net Service via network TLS access, and the attack may significantly impact other products (scope changed). Successful attack can lead to full takeover of Net Service.
Other Product Vulnerabilities:
- Oracle Communications Unified Assurance: CVE-2026-33557 (CVSS 9.1), CVE-2026-41044 (CVSS 8.8) in Message Bus (Apache Kafka), and CVE-2025-15467 (CVSS 8.8) in Core (MySQL Server).
- Oracle Hospitality OPERA 5 Property Services: CVE-2026-34311 (CVSS 9.8).
Affected platforms include Oracle Database Server 23.4.0 to 23.26.2, Oracle REST Data Services 24.2.0 to 26.1.0, Oracle Communications Unified Assurance 6.11 to 7.00, and others.
- DBA Perspective: The CVSS 10.0 vulnerability CVE-2026-46840 deserves high vigilance – no authentication required, network access only, potential full takeover of REST Data Services. The affected versions cover most current Oracle 23ai and REST Data Services deployments. DBAs should immediately assess the version status of Oracle Database in production environments and schedule a patch window for the May CPU. As the REST API gateway for the database, high‑risk vulnerabilities in Oracle REST Data Services may directly affect the data security boundary of front‑end applications; patch priority should be set to P0.
- CTO Perspective: The集中爆发 of multiple high‑score vulnerabilities in the REST Data Services component in this Oracle CPU, and the “scope changed” characteristic of CVE-2026-46833, indicate that attacks could extend from the database service to other affected products. Oracle’s sustained high‑frequency CPU releases (consecutive updates in April and May 2026) reflect the ongoing maintenance costs of traditional database security, which will continue to drive enterprise customers to evaluate cloud‑native and open‑source alternative solutions.
- Investor Perspective: The appearance of a CVSS 10.0 vulnerability, combined with the hardest‑hit status of REST Data Services, signals that even the most mature commercial databases can have致命 defects in their API gateway layer. This will continue to drive enterprise customer spending on database security auditing and API protection.
## 04|OTRS Discloses CVE-2026-48188 Critical Vulnerability: Unauthenticated SQL Injection Under Specific MySQL Configuration
On May 31, OTRS (Open‑Source Ticket Request System) was disclosed to have a critical SQL injection vulnerability, numbered CVE-2026-48188. The vulnerability exists in the database layer module of OTRS and ((OTRS)) Community Edition, allowing an unauthenticated attacker to bypass authentication via SQL injection.
Exploitation of this vulnerability requires a specific configuration condition: the underlying MySQL or MariaDB server must be configured with NO_BACKSLASH_ESCAPES SQL mode. This SQL mode changes how backslash characters are interpreted in query processing, creating a pathway for malicious input to be executed as SQL commands. When this mode is enabled, standard escaping mechanisms fail.
Affected versions are extensive: covering OTRS 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, 2026.X series (up to versions before 2026.4.X), as well as ((OTRS)) Community Edition 6.0.x. Products based on ((OTRS)) Community Edition are also very likely affected.
Because OTRS is widely used in customer service, help desk systems, and business‑critical communication infrastructure, the damage radius of this vulnerability is large. CISA analysis indicates that the vulnerability could be exploited for full system takeover, data theft, and persistence mechanism establishment.
- DBA Perspective: The core lesson of CVE-2026-48188 is “hidden risks under specific configurations” – default MySQL/MariaDB settings are not affected, but systems with NO_BACKSLASH_ESCAPES mode enabled face a severe threat. DBAs should urgently check the SQL mode configuration of MySQL/MariaDB in production environments: SELECT @@sql_mode;. If the output contains NO_BACKSLASH_ESCAPES and the system is running OTRS‑related services, upgrade immediately to the patched version. This case also reminds DBAs that “small configuration differences” can fundamentally change the security posture.
- CTO Perspective: The particularity of the OTRS vulnerability is that its exploitation depends on a “non‑default” setting at the database configuration level. This means that security assessments must cover the full‑stack combination of “application + database configuration.” It is recommended to establish a configuration baseline inspection mechanism and bring all non‑default configurations under the security review scope of change management.
- Investor Perspective: The OTRS vulnerability once again validates the importance of “open‑source software supply chain security.” The security risks of enterprise‑grade open‑source applications under specific configurations will drive continued demand for configuration security scanning and compliance auditing services.
## 05|Kingware Defines Financial‑Grade Database Standards, Leading a New Paradigm for Domestic Replacement
Recently, CETC Kingware published an in‑depth technical article titled “Kingware Defines Financial‑Grade Database Standards, Leading a New Paradigm for Domestic Replacement,” systematically阐述 Kingware’s core judgments and action paths for financial Xinchuang deep‑water replacement.
Core Judgment: The digital transformation of the financial industry is facing triple constraints: high concurrency, strong consistency, and data asset security. The “functional benchmarking” thinking of simple “replacement” is no longer sufficient to support true domestic replacement. The industry needs a native architecture system capable of defining “financial‑grade” stringent standards. The true new paradigm for domestic replacement is not simple code replacement, but for leading enterprises to redefine the technical standards for “financial‑grade databases” – a database system with financial‑grade high availability (RPO=0), financial‑grade data consistency (ACID strong constraints), financial‑grade security and compliance (national cryptographic algorithm support), and financial‑grade operational observability.
KingbaseES V9 Practical Support: Kingware has achieved large‑scale deployment in core accounting systems of multiple large financial institutions. In a pilot project at a large state‑owned bank, KingbaseES V9 successfully took over the core transaction system, maintaining the stringent indicators of zero data loss (RPO=0) and fast recovery (RTO<30s) under large‑scale concurrent transaction scenarios, fully benchmarking against internationally leading commercial databases. Kingware also provides efficient migration tools such as Kingbase FlySync, as well as advanced high‑availability and elastic scaling features such as KES RAC and KES Sharding.
Kingware Defines a New Financial‑Grade Database Paradigm: Kingware not only achieves full‑stack autonomy in its technical architecture (system prefix unified as “sys_”, configuration file standardised as “kingbase.conf”), but also proposes a “standards first” action initiative – when selecting, financial institutions should focus on whether a vendor has the ability to define financial‑grade standards and whether it has real‑world cases of large‑scale core system verification, rather than only looking at feature lists.
Previously, Kingware achieved RTO reduction from 15 minutes to under 30 seconds (a 97% reduction) in the migration of a head securities firm’s core trading system, and a breakthrough TPS increase from 5,000 to 8,500 (a 70% improvement) in the core system migration of a state‑owned bank.
- DBA Perspective: Kingware’s proposed shift “from replacement to defining standards” reveals the deep logic of financial Xinchuang – the终点 for domestic databases is not “being like Oracle,” but “becoming the financial‑grade standard itself.” For DBAs, this means that the dimension for evaluating databases in the future will evolve from “benchmark score comparison” to “whether financial‑grade RPO/RTO standards are met.” Kingware’s real‑world data of RPO=0 and RTO<30s in a bank core system is a core reference baseline for DBAs in financial Xinchuang selection.
- CTO Perspective: Kingware’s “standards first” initiative provides CTOs with a quantified selection framework – not only focusing on feature lists, but also examining whether a vendor has the ability to define standards and cases of large‑scale core system verification. The real‑world data of RPO=0 and RTO<30s in a state‑owned bank core system is hard proof that domestic databases have the ability to replace commercial databases in financial core scenarios.
- Investor Perspective: Kingware’s transformation from a “product supplier” to an “industry standard definer” is a sign of the maturity of the domestic database industry. Vendors with the ability to define standards and large‑scale core system verification cases will gain stronger order pricing power in the deep‑water Xinchuang replacement. Kingware’s accumulation of “zero‑downtime” cases in both the banking and securities tracks is its scarcest commercial moat.
## 📅 Recent Database Hot Topics Recap
| Date | Event | Core Highlights |
|------|-------|-----------------|
| May 29 | Tencent Cloud database enters AI‑Native 3.0 era | Agent Memory, TDSQL‑B unified multi‑modal foundation, database branching – over ten technical innovations |
| May 26 | National Phase IV security and reliability evaluation results announced | 23 products from 16 vendors selected; Dameng becomes only dual‑track Grade II vendor |
| May 27 | Oracle releases May 2026 CPU | ORDS component CVSS 10.0 vulnerability, Net Service CVSS 9.0 vulnerability |
| May 31 | OTRS CVE-2026-48188 critical vulnerability disclosed | Unauthenticated SQL injection possible under specific MySQL configuration, authentication bypass |
| Recent | Kingware defines financial‑grade database standards, leading new paradigm for domestic replacement | Proposes shift from “replacement” to “defining standards”; bank core system RPO=0, RTO<30s |
| June | TPC‑H benchmark results updated | Industry权威 analysis organisation’s performance ranking of mainstream databases |
## 📌 Issue Summary
| News | Core Keywords | DBA Actions | CTO/Decision‑Maker Focus | Investor Perspective |
|------|---------------|-------------|--------------------------|----------------------|
| Tencent Cloud AI‑Native 3.0 upgrade | Agents as new users, Agent Memory, unified multi‑modal foundation, slow SQL ↓60% | Focus on Agent Memory’s four‑layer architecture; learn Hunyuan LLM’s technical principles for optimising slow SQL | Multi‑modal hybrid search + Agent Memory + database branching; systematically evaluate agent‑native capability blueprint | Tencent’s internal AI products already deployed at scale; commercialisation bellwethers clear |
| National Phase IV evaluation results | Dameng dual‑track Grade II, 23 products from 16 vendors, Xinchuang access list | Use National Phase IV list as “access list” for Xinchuang selection; focus on architecture capabilities of Grade II products | National Phase IV is security baseline for Xinchuang; specific selection needs comprehensive evaluation with business scenarios | Dameng’s dual‑track Grade II consolidates finance/government competitive position; YashanDB’s rapid evaluation passing worth attention |
| Oracle May CPU | CVSS 10.0 (ORDS), CVE-2026-46833 (9.0), Net Service takeover | Immediately assess affected versions; set May CPU patch to P0 priority | ORDS component集中爆发 of high‑score vulnerabilities; API gateway security becomes new focus for database protection | API security audit and database protection spending will continue to grow |
| OTRS CVE-2026-48188 | NO_BACKSLASH_ESCAPES special configuration, unauthenticated injection | Urgently check MySQL/MariaDB SQL mode configuration; upgrade OTRS to patched version | Establish configuration baseline inspection mechanism; bring non‑default configurations under security review | Open‑source software supply chain security demand continues to grow |
| Kingware defines financial‑grade standards | Replacement → defining standards, bank RPO=0/RTO<30s, new financial‑grade paradigm | Include financial‑grade RPO/RTO standards in core system selection baseline | Standards first: examine whether vendor has ability to define standards and core system verification cases | Transformation from “product supplier” to “industry standard definer”; order pricing power increases |
> HiddenMerit Team Production
> Slogan: 绩优隐于内,金石启新程 | Hidden deep. Merit bold. Forge ahead.
No comments yet