Adobe Commerce security bulletin APSB26-49 — what it fixes and who needs to act

Adobe released security bulletin APSB26-49 on May 12, 2026 — the same day as the Magento 2.4.9 general availability release. It addresses multiple vulnerabilities across Adobe Commerce and Magento Open Source, with severity ratings reaching critical.

If your store is running any version listed in the affected table below, this is an active priority, not a scheduled task.

What the vulnerabilities allow

Adobe’s bulletin identifies vulnerabilities that could allow:

• Arbitrary code execution — an attacker can run code on the server
• Arbitrary file system write — an attacker can write files to the server
• Application denial of service — the store can be taken offline
• Security feature bypass — authentication or access controls can be circumvented

Adobe has stated there are no known active exploits in the wild at the time of release. That’s the standard language in Adobe’s bulletins — it means no confirmed exploitation has been reported, not that exploitation isn’t possible. In practice, the window between a bulletin going public and active scanning for unpatched stores is short. Days, not weeks.

Affected versions

Product	Affected versions
Adobe Commerce	2.4.8-p4 and earlier, 2.4.7-p9 and earlier, 2.4.6-p14 and earlier, 2.4.5-p16 and earlier, 2.4.4-p17 and earlier
Adobe Commerce B2B	1.5.2-p4 and earlier, 1.4.2-p9 and earlier, 1.3.4-p16 and earlier, 1.3.3-p17 and earlier
Magento Open Source	2.4.8-p4 and earlier, 2.4.7-p9 and earlier, 2.4.6-p14 and earlier

Fixed versions

Product	Apply this version
Adobe Commerce	2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18
Adobe Commerce B2B	1.5.3, 1.5.2-p5, 1.4.2-p10, 1.3.4-p17, 1.3.3-p18
Magento Open Source	2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15

If you’re on a release line not listed above — 2.4.3 and older — those versions are end-of-life and receive no security patches. You’re running without a safety net. The fix there is a full version upgrade.

What to apply if you’re not upgrading to 2.4.9

If upgrading to 2.4.9 isn’t on your near-term roadmap due to PHP version constraints or extension compatibility, apply the security patch for your current release line. Each release line gets its own patch version — pick the one that matches your installed Magento version.

For example: if you’re on 2.4.7.x, apply 2.4.7-p10. If you’re on 2.4.6.x, apply 2.4.6-p15. These are targeted patches — they don’t introduce the framework-level changes in 2.4.9, just the security fixes.

What changed in this bulletin specifically

The headline security changes in APSB26-49 include:

JWT framework update. The JSON Web Token library used for API authentication was updated. If you have custom integrations that generate or validate tokens outside of Magento’s standard flow, test them — token format compatibility is generally maintained but edge cases exist.

CAPTCHA enforcement extended to APIs. Customer account creation via REST and GraphQL now requires CAPTCHA by default. This is a meaningful anti-spam control. It will break automated test scripts and integration flows that create customer accounts via API without CAPTCHA bypass configuration.

Admin URL generation improvements. Hardened against a class of URL manipulation vulnerabilities in admin panel routing.

How to apply security patches

The standard path via Composer:

# For a targeted security patch on your current line (e.g. 2.4.7-p10)
composer require magento/product-community-edition 2.4.7-p10 --no-update
composer update magento/product-community-edition

# Run upgrade steps
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento setup:static-content:deploy -f
bin/magento cache:flush

Always run this against a staging environment with a production database snapshot first. Security patches occasionally introduce behaviour changes that surface in checkout or payment flows — test thoroughly before applying to production.

Official bulletin: Adobe APSB26-49