Magento Open Source 2.4.9 and Adobe Commerce 2.4.9 are now the official stable latest version (released May 12, 2026). This landmark update delivers PHP 8.5 support, replaces three core framework components, introduces over 560 fixes, and sets strict new infrastructure requirements that every merchant needs to plan for. While Magento Open Source 2.4.4 have reached end-of-life, 2.4.5 and 2.4.6 support ends in August 2026, making this post essential reading whether you're upgrading from an older version or planning your path to 2.4.9. Whether you're upgrading from an older version or planning your path to 2.4.9, this post breaks down everything that's changed, covers the updated support timeline, and shares On Tap's upgrade roadmap for your business success.
What is the latest version of Magento?
The latest version of Magento is 2.4.9, released on May 12, 2026, now updated with the July 2026 security patch. This Magento current version is the most architecturally significant update since Magento 2.0, introducing native PHP 8.5 support, replacing three foundational framework components (Laminas MVC, TinyMCE, and Zend_Cache/Redis), resolving over 666 issues in Adobe Commerce and 580 in Magento Open Source, and introducing strict new database requirements.
What makes 2.4.9 different? Three aging core components have been fully replaced with next-generation alternatives. Laminas MVC has been replaced by a native PHP MVC implementation for long-term compatibility beyond PHP 8.5. TinyMCE, whose v5 and v6 reached end-of-life and v7 introduced licensing incompatibilities, has been replaced by HugeRTE. Zend_Cache has been replaced by the Symfony Cache component for better performance and maintainability. Apache ActiveMQ Artemis is now Adobe's recommended long-term message broker. These changes future-proof the platform but mean extension compatibility testing is more critical than ever before upgrading.
Key highlights in both Magento Open Source and Adobe Commerce updates
-
Platform and compatibility updates: Both platforms now support PHP 8.4 and PHP 8.5. PHP 8.3 is supported for upgrade path purposes only, not for new installations or long-term use. PHP 8.2 is no longer supported. All Adobe-distributed extensions are compatible with these versions. 2.4.9 now requires MySQL 8.4 LTS or MariaDB 11.4 LTS; support for MySQL 8.0 and MariaDB 10.6 has been dropped entirely.
-
Security enhancements: Numerous security patches and improvements keep your store safe. The latest bundle, APSB26-73 (July 14, 2026), patches 2.4.9 and every supported earlier line, including a critical unauthenticated file upload flaw (CVE-2026-48356, CVSS 9.6). See the security section below for full details. Subresource Integrity (SRI) also verifies the integrity of loaded resources, helping prevent injection of malicious scripts.
-
Performance improvements: Caching and catalogue rule indexing have been optimised to reduce server load and accelerate page rendering. Database query performance benefits from the latest MySQL 8.4 optimisations, and MariaDB users see improvements moving to 11.4 LTS.
-
Expanded GraphQL & API capabilities: New GraphQL mutations include clearCart (now available to Open Source, not just Adobe Commerce), clearWishlist, and exchangeExternalCustomerToken for integration-based authentication, plus a new grand_total_excl_tax field on order totals and restored customer_id support in the B2B API. On the REST side, product gallery inheritance at the store view level is now handled correctly when media_gallery_entries is omitted.
-
Admin & user experience improvements: The Catalog Price Rules grid gains a bulk Actions menu, staging preview now renders accurate mobile device previews, and a new Cart Merge Preference setting lets merchants control how guest and customer carts combine at sign-in.
-
Fixed issues: 580 issues resolved in Magento Open Source 2.4.9 and 666 in Adobe Commerce 2.4.9, covering checkout, payments, search, GraphQL, B2B workflows, catalog management, and admin UI.


Distinct updates in Adobe Commerce 2.4.9
1. Platform updates
-
Cache and session storage: 2.4.9 adds comprehensive support for Valkey 9.x, with full CLI command parity with Redis and updated Admin and Cloud configuration options. Valkey 8.x, already supported since 2.4.8, remains available.
-
Message queue support: RabbitMQ 4.2 compatibility lets merchants keep using RabbitMQ short-term ahead of RabbitMQ 4.1's end of support. Apache ActiveMQ Artemis, fully supported across 2.4.6 through 2.4.9, is Adobe's recommended long-term replacement.
-
Database: MariaDB 11.8 and 12.x are now supported alongside the existing MariaDB 11.4 LTS and MySQL 8.4 LTS baseline, giving merchants more options for long-term database planning. Note that Adobe Commerce 2.4.8 and 2.4.9 are the last Adobe Commerce versions to support MySQL; MariaDB is the recommended path going forward.
-
Search engine transition: Fully compatible with OpenSearch 3.x, now the recommended search engine, with backward compatibility to OpenSearch 2.x retained. Elasticsearch is no longer supported.
-
Technology stack: Composer 2.9, PHPUnit 12, and Symfony 7.4 LTS across all Symfony dependencies. JavaScript libraries updated include Chart.js 4.5.0, Uppy 4.13.4, jQuery Validate 1.21.0, jQuery UI 1.14.1, Less.js 4.2.2, Moment Timezone 0.5.43, and Underscore.js 1.13.7.
2. Enhanced security measures
CAPTCHA validation is now enforced for customer account creation via REST and GraphQL, matching the protection already applied to the storefront Create Account form. Two-factor authentication has been simplified: admin users now only need to configure one of the merchant's enabled 2FA providers to access the Admin panel, instead of every enabled provider. A separate fix restores expected execution times for bulk asynchronous web API endpoints. Security patches now follow a monthly release schedule starting in 2026; APSB26-05 (March 2026), APSB26-49 (May 2026), and APSB26-73 (July 2026) are the bundles released so far this year.
APSB26-73 (July 14, 2026): A Priority 2 update for Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and Adobe Commerce Events. Adobe isn't aware of active exploits, but the bundle includes a critical, unauthenticated flaw, so patching promptly is strongly advised.
Key vulnerabilities fixed:
-
Critical severity
-
Critical (CVSS 9.6): Unrestricted file upload, unauthenticated, leads to privilege escalation (CVE-2026-48356).
-
Critical (CVSS 9.1): Improper output encoding in webhooks, leads to arbitrary code execution (CVE-2026-48358).
-
Critical (CVSS 8.7): Stored XSS, leads to privilege escalation (CVE-2026-47994).
-
Critical (CVSS 8.6, 8.2): Incorrect authorization, unauthenticated bypass (CVE-2026-47988, CVE-2026-47984).
-
Critical (CVSS 8.1): Stored XSS in B2B (CVE-2026-47995).
-
Critical (CVSS 7.6, 7.2): Authorization bypass and input validation issues (CVE-2026-47996, CVE-2026-47992).
-
-
Important/Moderate severity: Five further issues (three Important, two Moderate) covering authorization bypass, stored XSS, open redirect, and information exposure.
3. Performance improvements
SRI hash storage has been refactored to generate separate files per area, theme, and locale instead of one large combined file, so only the relevant hash file loads per page. This speeds up page loads and cuts memory usage on stores running multiple themes or locales.
4. REST API changes
Updating a product via REST API at the store view level no longer causes images and videos to unexpectedly inherit from global scope when media_gallery_entries is omitted or set to null. Scope inheritance can also now be explicitly restored by setting individual gallery fields (label, position, disabled, video title/description) to null.
5. GraphQL
-
Cart and wishlist: New clearCart and clearWishlist mutations clear an entire cart or wishlist in one call (clearCart is now available to Open Source, not just Adobe Commerce). Gift options now clear automatically when a cart is emptied and merge consistently when guest and customer carts combine at login.
-
Customer and authentication: A new exchangeExternalCustomerToken mutation authenticates via an integration token. applyGiftCardToCart returns more specific errors for expired or zero-balance cards. reCAPTCHA validation now covers updateCustomer, updateCustomerV2, contactUs, and applyCouponsToCart.
-
Orders and totals: A new OrderTotal.grand_total_excl_tax field returns tax-exclusive order totals directly. Historical orders now show full product details even for items that have since gone out of stock.
-
B2B: The customer_id field in the B2B GraphQL API is restored and fully supported, after previously being deprecated and returning null.
6. Braintree payment enhancements
Express checkout gains promo/offer code support in the Google Pay and Apple Pay pay sheets, Apple Pay now works on Chrome and Firefox (not just Safari), and the PayPal Express shipping callback moved server-side for more accurate real-time shipping costs. New payment options include ELO cards, BLIK for Polish shoppers, and Pay Upon Invoice (a PayPal/Ratepay BNPL option) for German buyers. Customers can now vault Google Pay cards via the account area, and a Real-Time Account Updater keeps vaulted Visa, Mastercard, and Discover details current automatically. Admins get a direct link from Commerce orders to the Braintree Portal, and the Braintree extension is now PHP 8.5 compatible.
7. Shipping
USPS integration has migrated to the new RESTful USPS APIs with OAuth 2.0 authentication, in line with USPS's retirement of the legacy Web Tools APIs; the legacy API remains selectable during the transition. DHL integration now also supports MyDHL RESTful APIs alongside the existing legacy DHL Express XML API.
8. Major fixed issue
666 issues resolved in Adobe Commerce 2.4.9 core code, including missing product attribute values after EAV cache updates, malformed REST API requests that returned 500 errors instead of clear 400 responses, Fixed Product Tax (FPT) values that differed between the cart and product pages, duplicate orders under concurrent multishipping requests, and a Google Analytics CSP issue that blocked tracking when the Google Adwords module was disabled.
Learn more: For detailed information on Adobe Commerce 2.4.9 updates, visit Adobe Experience League.
What’s new in Magento Open Source 2.4.9
1. Framework enhancements
Magento Open Source 2.4.8 introduces several framework enhancements designed to improve stability, performance, and compatibility. Core Composer dependencies, including league/flysystem, php-amqplib/php-amqplib, monolog/monolog, wikimedia/less.php, jquery/validate, and moment.js, have been updated to their latest versions.
The jQuery file uploader was replaced with the Uppy library, and the ExtJS folder was removed as functionality migrated to jsTree. Database compatibility has been expanded to include MySQL 8.4 LTS and MariaDB 11.4 LTS.
2. API improvements and fixes
The clearCart GraphQL mutation, previously Adobe Commerce only, is now available to all Magento Open Source users. Malformed REST API requests that used to return a generic 500 Internal Server Error now correctly return a 400 Bad Request, making integration issues easier to diagnose.
3. Bug fixes and stability
580 issues addressed in the Magento Open Source 2.4.9 core code, including missing product attribute values after EAV cache updates, coupon and cart price rule logic, customer address validation, and Fixed Product Tax (FPT) consistency between the cart and product pages.
Should I upgrade to 2.4.9 right now?
Magento 2.4.9 is generally available and has already received two security patch rounds (May and July 2026). As the first release under Adobe's new annual cadence, and a major release with three framework component replacements, it still carries higher compatibility risk than a standard patch release.
-
If you're on 2.4.6: The August 2026 end-of-life deadline makes upgrading urgent. Moving to 2.4.8 now is a safe stepping stone. Apply the July 2026 patch to your current version immediately either way.
-
If you're on 2.4.7 or 2.4.8: You can afford to wait before upgrading production to 2.4.9. Use the time to test extensions and prepare infrastructure (PHP 8.4/8.5, MySQL 8.4 or MariaDB 11.4), and apply the July 2026 patch now.
-
For all merchants: Begin extension compatibility auditing now, especially for extensions using TinyMCE APIs, Laminas MVC, or Zend_Cache. Apply APSB26-73 for your current version regardless of upgrade timeline.
-
Check your database version: MySQL 8.0 and MariaDB 10.6 are dropped in 2.4.9, a non-negotiable infrastructure change requiring separate planning.
| Need help mapping out the safest upgrade path for your store? Contact On Tap - our certified team can audit your current setup and recommend a realistic timeline with minimal disruption. |
Preparing for the 2.4.9 upgrade
We recommend that all Magento merchants plan their upgrade to version 2.4.9 as part of a broader strategy to optimise their eCommerce environment. Because 2.4.9 replaces three core framework components, planning is more involved than a typical minor release. Here are the essential steps:
-
Apply the latest security patch first. Update to APSB26-73 for your current version now, before anything else.
-
Upgrade PHP to 8.4 or 8.5. PHP 8.2 isn't supported; PHP 8.3 is upgrade path only. Confirm your host supports 8.4/8.5.
-
Upgrade your database. MySQL 8.4 LTS or MariaDB 11.4 LTS (11.8 and 12.x are also now supported) is required. MySQL 8.4 has stricter foreign key validation, so test your schema first. Note that 2.4.8 and 2.4.9 are the last Adobe Commerce versions to support MySQL at all, so plan a longer-term move to MariaDB if you're on Adobe Commerce.
-
Migrate to OpenSearch. OpenSearch 3.x is now recommended, with 2.x still supported. Elasticsearch is no longer supported.
-
Audit extensions for HugeRTE, Laminas MVC, and Symfony Cache compatibility. Confirm 2.4.9 support with vendors.
-
Evaluate your message queue setup. Confirm RabbitMQ 4.2 if applicable, and plan a longer-term move to Apache ActiveMQ Artemis.
-
Back up your store before upgrading.
-
Test in staging first, given the scope of framework changes in 2.4.9.
-
Engage experienced developers for a seamless upgrade and ongoing maintenance.
-
Track performance post-launch to catch any slowdowns early.
Magento/Adobe Commerce 2.4.9 release and patch schedule
Version 2.4.9 became available as a beta on March 10, 2026, with official GA on May 12, 2026.
| General availability | Patches |
| March 10, 2026 | 2.4.9-beta1; security patches for 2.4.8, 2.4.7, 2.4.6, and (Adobe Commerce only) 2.4.5, 2.4.4 |
| May 12, 2026 | 2.4.9 GA; APSB26-49 patches (2.4.8-p4, for 2.4.8, 2.4.7, 2.4.6) |
| July 14, 2026 | APSB26-73 patches for 2.4.9, 2.4.8, 2.4.7, 2.4.6, 2.4.5, 2.4.4, plus Adobe Commerce B2B and Commerce Events |
From January 2026, Adobe's cadence is: monthly isolated security patches as needed, one major version per year in May, and aggregated security patches in May and November. Each 2.4.x release carries a three-year support window from its GA date.
Here are the recent Adobe Commerce releases and their corresponding end-of-support dates to assist you in planning upgrades and ensuring continued stability and security for your eCommerce platform.
| Version | Release date | End of support | Status |
| 2.4.9 | May 12, 2026 | May 2029 | ★ Latest - Recommended |
| 2.4.8 | April 8, 2025 | April 11, 2028 | Active |
|
2.4.7 |
April 9, 2024 | April 9, 2027 | Active |
| 2.4.6 | March 14, 2023 | August 11, 2026 | Upgrade urgently |
| 2.4.5 | August 9, 2022 | Regular support ended August 12, 2025. Extended support (Adobe Commerce only) ends August 2026. | End of regular support |
| Important: Regular support for 2.4.5 ended in August 2025; the extension through August 2026 applies to Adobe Commerce only, not Magento Open Source. Merchants on 2.4.5 Open Source are already unsupported and should upgrade immediately. Note that 2.4.4 also received an Adobe Commerce only patch under APSB26-73; Magento Open Source 2.4.4 remains end-of-life. | |||
Learn more: If you are unsure of the version you are using, consult our comprehensive guide on how to check Magento version.
What’s next after Magento 2.4.9?
Adobe's development roadmap does not stop at Magento 2.4.9. From 2026, Adobe operates a structured annual release cadence: one major version each May, monthly isolated security patches across all supported lines. Magento 2.4.10 can be expected in May 2027, continuing the pattern of one major release per year. The next aggregated patch bundle is expected around November 2026.
Evergreen is designed to address this reality. As a free upgrade solution from On Tap, it delivers all future Magento minor releases, security patches, and hotfixes in line with platform’s release cycle at no additional cost. This keeps your store current and compatible over time while removing unpredictable upgrade projects, reducing long-term maintenance overhead, and lowering the risk of forced replatforming.
Making the most of Magento latest version
The latest Magento version helps merchants strengthen security, boost performance, and streamline operations. Key updates in 2.4.9 include a modernised framework stack (native PHP MVC, HugeRTE, Symfony Cache with Valkey 9 support), expanded GraphQL and REST capabilities, simplified 2FA configuration, and a major Braintree payments upgrade, now reinforced by the July 2026 APSB26-73 patch.
Magento 2.4.9 is a highly recommended upgrade for all Magento Open Source and Adobe Commerce users who want to keep their stores secure, fast, and feature-rich. Merchants not ready to move to 2.4.9 immediately should ensure they are at least on 2.4.8 with the latest security patches applied, or must upgrade from 2.4.6 before August 2026. If you’re considering upgrading your Adobe Commerce/Magento Open Source store or adopting Adobe Commerce as a Cloud Service platform, On Tap - a certified Magento development agency is here to help. With our proven expertise and free Magento upgrades solution, we help merchants stay ahead of every Magento release with minimal effort and maximum stability.
Contact us today to discuss how we can support you in upgrading from your current Magento version and innovative solutions that can transform your online business.


