DB Engineering Weekly: June 15–22, 2026

Two MongoDB CVEs dropped this week — one of them pre-authentication, reachable by anyone with network access to your mongod listener. MySQL 9.7.1 shipped as part of Oracle's quarterly CSPU cycle, and the 8.0 EOL countdown is now at five weeks. Architecturally, MariaDB's Exa HTAP Technical Preview is the most significant new thing on the board: a MaxScale-routed, CDC-fed Exasol MPP engine sitting alongside MariaDB OLTP, claiming 800× analytical speedup. pgEdge ColdFront beta introduces transparent PostgreSQL→Iceberg tiering with writable cold storage. pgvector v0.8.3 closes a potential HNSW index corruption path. And Weaviate shipped coordinated patches across three active release lines simultaneously.

MongoDB released 8.0.26, 8.2.11, and 8.3.4 over June 16–18 to address two high-severity CVEs. 1 The CVSS scores are close — 8.7 vs. 8.8 — but the threat models are completely different.

CVE-2026-9740 (CVSS 8.7, High): A pre-authentication stack overflow in the BSON validator. Affects MongoDB 7.0+ through the BSONColumn code path. An attacker needs nothing except network reachability to the mongod listener — no credentials, no session. There is no off-switch for this path; the BSON validator processes every incoming client message. Patch is the only remediation.

CVE-2026-11933 (CVSS 8.8, High): A use-after-free in the server-side JavaScript engine's BSON-to-array conversion. Requires an authenticated read role. Affects all MongoDB versions from 4.4 through 8.0. 1 Mitigation is available without patching: setting security.javascriptEnabled: false (or --noscripting) removes the attack surface entirely, as long as your application does not use $where, $function, $accumulator, mapReduce, or system.js.

Percona engineer Radoslaw Szulgo's framing is worth keeping: "The first high-vulnerability issue has nothing between it and your mongod process except your firewall." 1 His triage rule: for deployments behind tight network controls, the authenticated bug is more urgent; for anything reachable from public cloud, shared internal LANs, or multi-tenant infrastructure, CVE-2026-9740 takes priority.

Ten additional CVEs (CVE-2026-9753 through CVE-2026-9741) were fixed in the same patch wave. Percona Server for MongoDB patches are targeted: 7.0 series June 23, 8.0 and 6.0 series June 25.

EOL note: MongoDB 8.2 reaches end of life on July 31 — the same date as MySQL 8.0. 1 Teams on 8.2 patching to 8.2.11 this week are patching into a branch with five weeks of support left.

Oracle released MySQL 9.7.1 (Innovation) and 8.4.10 (LTS) on June 16 as part of the quarterly June 2026 Critical Security Patch Update cycle, alongside MySQL Shell 8.4.10, Router 8.4.10, and NDB Cluster 8.4.10/9.7.1 (June 17). 2 Oracle has not disclosed specific CVE details in the public release notes beyond designating these as a CSPU cycle release.

Three EOL deadlines now stack inside six weeks:

MariaDB 10.6 is the most immediately urgent: two weeks is not enough time to plan and execute a major version upgrade if you have not started. Oracle's OCI documentation targets MySQL 8.0.46 as the July DB Systems update but has not published a specific migration path tool for 8.0→8.4 or 8.0→9.x. AWS RDS Blue/Green deployment remains the documented low-downtime path for RDS MySQL 8.0 users. 2

MariaDB announced the Exa Technical Preview on June 16 — a hybrid transactional/analytical processing (HTAP) architecture that integrates Exasol's massively parallel processing (MPP) columnar engine directly into MariaDB Cloud. 3

The routing layer is MariaDB MaxScale. Writes go to the MariaDB OLTP engine; queries classified as analytical get dispatched to the Exasol MPP engine. The data stays in sync via a Change Data Capture pipeline off the MariaDB binary log — no separate ETL, no manual replication topology to manage. MaxScale can dispatch a query to both engines simultaneously, return whichever responds first, and terminate the slower one.

The claimed speedup is 800× for analytical queries compared to "traditional configurations." 3 MariaDB has not published a benchmark methodology or comparable baseline configuration, so treat this figure as directional until a reproducible test appears. The underlying mechanism — columnar MPP versus row-oriented InnoDB for aggregation-heavy queries — would produce a substantial gap; 800× implies an extreme case.

Available as a managed cloud service (single provisioning workflow) or self-hosted. The "no cluster to provision, no MaxScale to configure, no replication topology to maintain" pitch targets the operational friction that typically gates HTAP adoption in mid-size engineering teams.

Trade-off note. Exa is a Technical Preview, not GA. The architecture adds a second engine's operational surface area (Exasol MPP) behind a managed interface. The CDC lag between the OLTP write and the analytical query result is not quantified in the announcement — for use cases sensitive to read-your-writes on the analytical side, that gap matters. Self-hosted deployments get the routing flexibility but also inherit MaxScale configuration complexity.

PostgreSQL 19 Beta 1 has been available since June 5 (just before this window), but community analysis peaked this week. Craig Kerstiens (Snowflake) framed the release accurately: "The most interesting part to me is less 'Postgres is now a graph database' and more 'Postgres continues to make the database you already picked more capable.'" 4

The features with the most direct production relevance, per Christophe Pettus (PGX): the quiet flip of jit = off as default, which will change query plans and timings for any deployment relying on JIT-compiled execution, and the 64-bit MultiXactOffset eliminating the 4-billion-member wraparound risk. 5 SQL/PGQ, REPACK CONCURRENTLY, partition MERGE/SPLIT, parallel autovacuum workers, and logical sequence replication fill the headline list. GA is targeted for September 2026. AWS RDS Database Preview Environment has Beta 1 available in us-east-1.

Pettus also published eight consecutive "All Your GUCs in a Row" posts on thebuild.com this week — a useful reference for anyone tuning PG18/19 behavior. The entry on effective_cache_size is the most commonly misunderstood: it "doesn't allocate memory, reserve RAM, or control runtime behavior — it merely whispers a number to the query planner to make it smarter." 6 PostgreSQL 19 switches default_toast_compression from pglz to lz4; if you have storage-sensitive deployments, that default behavior change will affect new writes.

pgEdge ColdFront v1.0.0-beta1 (June 18) introduces transparent data tiering for community PostgreSQL 17/18. 7 Hot (recent) rows stay in the PostgreSQL heap; cold (expired) rows are automatically tiered to Apache Iceberg on S3-compatible object storage. The key differentiator from other PostgreSQL→Iceberg solutions: cold-tier data is fully writable — UPDATE and DELETE work without restoring data to the hot tier first. DuckDB is embedded in-process (not a daemon) for columnar analytics over cold data. Applications use the same relation name and SQL — the C extension intercepts DML at the planner level and routes to the appropriate tier.

Antony Pegg (pgEdge): "Applications use SELECT, INSERT, UPDATE, and DELETE against the same relation they always have... The application doesn't know there are two tiers, and it doesn't need to." 7 On pgEdge Spock distributed nodes, the implementation scales from 2.4M rows/sec on 3 nodes to 4.2M rows/sec on 5 nodes, with a TLA+-verified bakery protocol for cold-tier concurrent writes. PostgreSQL License, available on GitHub.

pgvector v0.8.3 (June 18) is a maintenance release after a 3.5-month gap since v0.8.2. 8 The most operationally significant fix is a potential HNSW index corruption issue (GitHub issue #988). Additionally: a new HNSW_VACUUM_PROGRESS flag, improved vacuum progress reporting for round block sizes, deleted element checks, and memory usage tracking for HNSW vacuuming. A performance regression affecting Hamming and Jaccard distance queries on PostgreSQL 18 (issue #985) is fixed. PostgreSQL 19+ compatibility is added via an always-inlined pg_popcount64 path.

Weaviate coordinated 3-line patch wave (June 16–18): Weaviate shipped patches for all three active release lines within 48 hours — v1.38.1, v1.37.9, and v1.36.18. 9 The shared security changes across all three: debug endpoints disabled by default, Alpine Docker image updated from 3.21 to 3.24. v1.38.1 additionally fixes an MCP hybrid search bug returning objects without properties, auto-enables async replication when erf=1 and arf>1, removes the unused replicated indices queue feature, and fixes a goroutine leak in S3 backup listing. The simultaneous three-line release suggests a coordinated security/stability response rather than a routine patch cycle. No Weaviate statement accompanied the release; the v1.38.0 GA blog post remains unpublished on weaviate.io/blog as of June 22, now 17 days after that release went live on GitHub.

Spring Boot 4.1 (June 21) ships spring-boot-starter-batch-data-mongodb, allowing Spring Batch's JobRepository to persist in MongoDB collections (BATCH_JOB_INSTANCE, BATCH_JOB_EXECUTION, BATCH_STEP_EXECUTION) instead of JDBC tables. 10 Requires a MongoDB replica set (Spring Batch transactions need replica set semantics). Josh Long (Spring): "Pick the database that fits your data. Spring Batch will fit itself around your choice." 10 Excludes BatchJdbcAutoConfiguration.class to flip from JDBC to MongoDB-backed persistence. Also ships: lazy DataSource connection retrieval (spring.datasource.connection-fetch=lazy) and GraalVM native image support.

Debezium 3.6.0.Beta2 (announced June 15, tagged June 12) adds MySQL GTID tags support (MySQL 8.3+ :: tag format), a new Debezium CLI, Google Spanner connector UUID support (Spanner connector reaching GA in 3.6), Quarkus Extensions column change filtering for single-event and batch-event capture, customizable zero-date fallback values per MySQL/MariaDB type, and an OpenTelemetry Collector deployment option in the Platform Helm Chart. 11 PostgreSQL compatibility is tested through version 18. 3.5.2.Final remains current stable.

QuestDB 9.4.3 (June 15) ships parquet-native tables and a significant ORDER BY ... LIMIT improvement: on a 200M-row partition, query latency drops from an unstable 380ms–200s range to a stable 19.76ms using encoded sort on Parquet partitions. 12 Parquet write path conversion time drops from 1.96s to 1.05s (2× speedup), with file size reduced from 432MB to 338MB (47% reduction) on 20M-row partitions. New is_end_of_month(timestamp) SQL function and configurable memory usage logging.

MariaDB Connector/J 3.5.9 (June 15) adds TLS trust/key manager caching across connections (reduces SSL handshake overhead), a Service Provider Interface (SPI) for PAM interactive dialog authentication, a useIpForKillQuery option, and full GraalVM native-image support with CI coverage. 13

PlanetScale Connections (June 15): a new pscale branch connections top CLI command for live database connection monitoring. 14 Supports both PlanetScale Postgres (pg_stat_activity-based) and Vitess/MySQL (SHOW FULL PROCESSLIST-based). Features: ~1/second live refresh, blocker tree visualization, rolling history with pause/step/replay, and session capture to file for postmortems. Uses a reserved administrative connection that remains available even when regular application connections are exhausted. Brett Warminski (PlanetScale): "Managed databases should remove the need to SSH into a box, not remove your ability to debug an incident." 14

DB-Engines June 2026 updated across 434 tracked systems. 15 PostgreSQL posted the highest monthly gain in the relational tier: +5.55 to 688.23 (4th overall). Databricks is the largest absolute monthly gainer in the top 25: +5.80 to 157.58, now 7th — up from 12th a year ago (+52.91 year-over-year). MongoDB holds 5th at 387.97 (+3.33 month, −14.87 year). DuckDB moved to 42nd at 10.30 (+0.71, +3.00 year). In the vector DBMS tier: Pinecone 8.63 (#48), Milvus 6.37 (#56), Qdrant 5.58 (#64), Weaviate 4.55 (#70), Chroma 2.96 (#92).

1bench.dev vector DB ranking (updated June 22): Qdrant shows the strongest 30-day GitHub star growth among dedicated vector engines at +1.0k (32.5k total). 16 New entrant worth noting: Zvec at #9 with 12.0k stars (+2.4k/30d) — a lightweight in-process vector database built on Alibaba's Proxima engine, Apache-2.0 licensed, founded 2025. HelixDB (#14, 5.4k, +862/30d) — graph-vector hybrid — is also growing quickly. Chroma's last stable release remains 1.5.9 from May 5 (48 days ago); dev builds are active (1.5.10.dev134 on June 20) but a stable cut has not shipped.

No cross-engine OLTP benchmarks this week. CMU Database Group is on summer break. No independent TPC-C, Sysbench, or YCSB results appeared for any engine. The MariaDB Exa 800× claim is the only performance figure, and it lacks a published methodology.

Migration gap continues. No database migration case studies or post-mortems appeared this week. Engineering blogs from Shopify, Stripe, Netflix, and Uber published no database migration content in the window. The gap now spans four consecutive weeks.

arXiv cs.DB this week: 47 papers across June 15–19. 17 Notable: AgenticDB (2606.20318) uses LLM agents for automatic MySQL/PostgreSQL performance reconfiguration, validated on YCSB/Sysbench/TPC-H. Bi-Channel Networking Paradigm (2606.19969, Viktor Leis et al.) was accepted to EDBT 2027. Revisiting Filtered ANN Benchmarks (2606.14193, VLDB 2026) introduces a controllable benchmark generator for filtered approximate nearest neighbor search.