Adobe Commerce 2.4.6-p3 release notes

Adobe Commerce 2.4.6-p3 is a security release that provides ten security fixes that enhance your Adobe Commerce 2.4.6 or Magento Open Source 2.4.6 deployment. It provides fixes for vulnerabilities that have been identified in previous releases.

Adobe Commerce releases may contain backward-incompatible changes (BICs). To review backward-incompatible changes, see BIC reference. Major backward-incompatible issues are described in BIC highlights. Not all releases introduce major BICs.

What’s in this release?

Security enhancements for this release improve compliance with the latest security best practices. These improvements include ten security fixes.

This security patch includes:

  • security highlights
  • security fixes

Security highlights

This release introduces a new full page cache configuration setting that helps to mitigate the risks associated with the {BASE-URL}/page_cache/block/esi HTTP endpoint. This endpoint supports unrestricted, dynamically loaded content fragments from Commerce layout handles and block structures. The new Handles Param configuration setting sets the value of this endpoint’s handles parameter, which determines the maximum allowed number of handles per API. The default value of this property is 100. Merchants can change this value from the Admin (Stores > Settings:Configuration > System > Full Page Cache > Handles Param.

Security fixes

This patch includes ten security fixes. See Adobe Security Bulletin for the latest discussion of these fixed issues.

Hotfixes included in this release

Adobe Commerce 2.4.6-p3 includes resolution of the performance degradation that was addressed by patch ACSD-51892. Merchants are not affected by the issue addressed by this patch, which is described in the ACSD-51892: Performance issue where config files load multiple times Knowledge Base article.

Known issue

Issue: Adobe Commerce displays a wrong checksum error during download by Composer from, and package download is interrupted. This issue can occur during download of release packages that were made available during prerelease and is caused by a repackaging of the magento/module-page-cache package.

Workaround: Merchants who see this error during download can take these steps:

  1. Delete the /vendor directory inside the project, if one exists.
  2. Run the bin/magento composer update magento/module-page-cache command. This command updates only the page cache package.

If the checksum problem persists, remove the composer.lock file before re-running the bin/magento composer update command to update every package.

Installation and upgrade instructions

For instructions on downloading and upgrading to security patch releases, see Quick start install.

More information?

For general information about security patches, see Adobe Commerce release policy.