Google Cloud AlloyDB for PostgreSQL Insecure Default Password Vulnerability Allowing Administrative Access

A vulnerability exists in Google Cloud AlloyDB for PostgreSQL, allowing clusters created prior to November 3, 2025, to have an insecure default password. This default password could be exploited by remote attackers to gain full administrative access to the database. The vulnerability was introduced through the Terraform and REST API, as other clients blocked this behavior. Exploitation required network access to the AlloyDB cluster.

Impact

Exploitation of this vulnerability could lead to unauthorized administrative access to the PostgreSQL database, allowing an attacker to manipulate database settings, access sensitive data, or disrupt database operations.

Remediation

Users can manually set a secure password for the 'postgres' role when creating an AlloyDB cluster. For clusters already created, the password can be updated using the AlloyDB Admin API or the gcloud command-line tool. After updating the password, it's important to review and adjust any application connections that use the old password.