Adobe has released a new security update for Adobe Commerce and Magento Open Source: APSB26-73. This one demands your immediate attention. The bulletin resolves 13 vulnerabilities, eight of them critical. The headline is CVE-2026-48358, rated a maximum 10.0 CRITICAL by NVD: an unauthenticated, zero-interaction flaw in the webhooks component that can lead to arbitrary code execution. A second critical, CVE-2026-48356 (CVSS 9.6), allows attackers to upload unrestricted files to the server.
Adobe has released an isolation patch for these issues, so even if a full upgrade is not feasible right now, you have no excuse to delay the critical fix.
If you run Adobe Commerce or Magento Open Source, stop what you are doing and read this. Pre-authentication vulnerabilities are the ones that get exploited in the wild fastest. As EveryHost's analysis notes, "automated scanners will be probing for unpatched stores within days." We saw exactly this pattern with SessionReaper (CVE-2025-54236), which went from bulletin to active exploitation within days.
This bulletin is also a small piece of history: it is the first Adobe Commerce bulletin published under Adobe's new twice-monthly security schedule, which began on 14 July 2026. Security fixes now land on the second and fourth Tuesdays of each month.
What does this mean for merchants?
The CVSS 10.0 vulnerability sits in output encoding around Adobe Commerce's webhooks functionality, the plumbing stores use to notify external systems when events happen (an order placed, a customer created). As EveryHost explains, "improper escaping of output in that path can be turned into arbitrary code execution." In plain terms: a well-crafted request from someone with no account and no login could end with attacker-controlled code running inside your store. That is the same class of outcome as the worst Magento CVEs in history, the ones behind mass card-skimming campaigns.
Adobe states it is "not aware of any exploits in the wild" for APSB26-73 issues. That makes this the cheap moment to patch.
The bulletin covers every supported release line. As noted in Adobe's Experience League knowledge base article (ka-37421), patches ship as isolated files that apply only on the exact latest patch level of each line. The new version labels use a "-2026-jul" suffix (for example, 2.4.9-2026-jul, 2.4.8-2026-jul).
A critical caveat from Sam James's community analysis: unlike the old quarterly -p releases, isolated patches are not cumulative. APSB26-73 for the 2.4.8 line only applies to 2.4.8-p5, not p4, not p3. If you are not on the latest patch level for your minor version, you must catch up first.
The playbook
Read the bulletin and assess your exposure (~30 minutes)
Review the full APSB26-73 security bulletin and the Experience League knowledge base article (ka-37421). Identify which CVEs apply to your specific version. Check whether you have already applied all prior patches (APSB26-49, APSB26-05, and the September 2025 hotfix for CVE-2025-54236). If not, you may have compounding exposure.
Apply the isolation patch for the unauthenticated vulnerability (~1 to 2 hours)
Download the isolation patch file referenced in the ka-37421 article. This is your highest priority. Apply it to your staging environment first, run a quick smoke test (homepage loads, add-to-cart works, checkout completes, admin panel accessible), and then deploy to production. Do this today, not next sprint.
bash
# Typical isolation patch workflow
cd /path/to/magento
patch -p1 < VULN-XXXXX-2-4-X.patch
php bin/magento cache:flush
php bin/magento setup:upgrade # only if instructed by patch notes
After applying, verify the patch using Adobe's new Commerce Version Tool: vendor/bin/patch-status. This standalone executable, included with each monthly CE patch, reports which patches are installed, which are missing, and which CVEs you are protected against.
Plan and schedule the full security patch upgrade (~4 to 8 hours for testing, 1 to 2 hours for deployment)
The isolation patch buys you time, but you need the complete security release. Download the full patch version for your release line (e.g. 2.4.8-2026-jul). Build it in your development environment, run your full test suite, automated and manual, with particular attention to checkout, payment integrations, and any custom modules that hook into authentication, session handling, or API endpoints.
Audit your WAF and monitoring (~1 hour)
While you are patching, check your Web Application Firewall (WAF) rules. If you use Cloudflare, Fastly, or Adobe Commerce's built-in WAF on cloud infrastructure, ensure rules are up to date. Enable verbose logging on authentication endpoints and REST/GraphQL APIs. Set up alerts for unusual patterns: spikes in 401/403 responses, abnormal session creation rates, or unexpected admin login attempts.
Review your admin account hygiene (~30 minutes)
Unauthenticated vulnerabilities sometimes chain with other weaknesses. Audit your admin accounts: remove any unused accounts, enforce two-factor authentication (2FA) on all admin users, and rotate admin passwords. Check that your admin URL uses a custom path (not /admin).
Check for signs of prior compromise (~1 to 2 hours)
If your store was running unpatched against previous bulletins, or if there has been any delay in applying this one, run a compromise check. Look for:
-
Unexpected admin users or API tokens
-
Modified core files (diff your codebase against a clean copy)
-
Unfamiliar cron jobs or scheduled tasks
-
JavaScript injections in CMS blocks, headers, or footers (common skimmer injection points)
-
Unusual database entries in core_config_data, particularly around payment gateway settings
Document and update your patching SOP (~30 minutes)
After you have patched, update your internal runbook. Record the date you applied the isolation patch, the date you deployed the full security release, and who was responsible. If this process took longer than 48 hours from bulletin to production, figure out why and fix the bottleneck. With Adobe's new twice-monthly schedule, your patching process needs to be fast, repeatable, and well-documented.
Platform-specific guidance
Magento Open Source / Adobe Commerce (on-premises and cloud)
Full security patch: available from the Adobe Commerce release notes for your specific version line. Use Composer to upgrade: composer require magento/product-community-edition=2.4.X-2026-jul (or product-enterprise-edition for Commerce).
Isolation patch: download from the link in the ka-37421 Knowledge Base article. Apply using the standard patch command.
Adobe Commerce Cloud: if you are on Cloud infrastructure, update your composer.json, push to your integration branch, and promote through staging to production using the standard Cloud deployment workflow. Cloud's WAF will often get updated rules ahead of time, but the WAF is not a substitute for patching.
Security Scan Tool: run Adobe's Security Scan Tool against your store after patching to validate the fix and check for other known issues.
A note on 2.4.6: as On Tap's security patches guide confirms, APSB26-73 includes a fix for the 2.4.6 line, but regular support for Magento 2.4.6 ends on 11 August 2026, four weeks from this bulletin. After that date, bulletins will continue describing vulnerabilities that exist in your codebase, but will no longer come with a patch you can apply. Upgrade planning should already be underway.
Common pitfalls
-
Treating the isolation patch as the finish line. The isolation patch addresses the most critical vulnerabilities only. The full security release contains fixes for all 13 issues across different severity levels. Stopping at the isolation patch leaves you exposed to the rest.
-
Skipping staging and going straight to production. We understand the urgency, but patches occasionally interact with custom code, third-party modules, or specific PHP/MySQL configurations. A 20-minute smoke test on staging can prevent hours of production downtime.
-
Forgetting about the previous bulletins. Security patches are cumulative within a release line, but each bulletin builds on the assumption you have applied the prior ones. If you skipped APSB26-49 or APSB26-05, you need to catch up, not just apply the latest.
-
Ignoring third-party extensions. A significant share of Magento vulnerabilities are introduced by third-party modules that do not follow secure coding practices. When you patch core, also check your extensions for updates, particularly any that handle authentication, payments, or customer data.
-
Not monitoring after patching. Applying the patch does not tell you whether your store was already compromised before you patched. Post-patch monitoring for at least 72 hours, watching logs, checking file integrity, and monitoring for data exfiltration, is essential.
About On Tap
On Tap is a growth-focused eCommerce consultancy maintaining patching and security monitoring services for Adobe Commerce and Magento merchants. As On Tap's security patches guide confirms, APSB26-73 was applied across every On Tap client store the same week it was released. Services include same-day isolation patch deployment, full security release upgrades with regression testing, and post-patch compromise audits.
If you are unsure whether your store is current on security patches or need a team to manage the process end to end, get in touch.


