DocumentationCommerceTools

[PaaS only]{class="badge informative" title="Applies to Adobe Commerce on Cloud projects (Adobe-managed PaaS infrastructure) and on-premises projects only."}

ACP2E-4507: Password Options configuration doesn’t apply to customer password reset requests made through GraphQL mutations

Last update: Tue Apr 28 2026 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Experienced
  • Admin
  • Developer

The ACP2E-4507 patch fixes the issue where the Password Options configuration isn’t applied for customer password reset requests made through GraphQL mutations. This patch is available when the Quality Patches Tool (QPT) 1.1.78 is installed. The patch ID is ACP2E-4507. Please note that this issue is scheduled to be fixed in Adobe Commerce 2.4.9.

Affected products and versions

The patch is created for Adobe Commerce version:

  • Adobe Commerce (all deployment methods) 2.4.8-p3

Compatible with Adobe Commerce versions:

  • Adobe Commerce (all deployment methods) 2.4.8 - 2.4.8-p4
NOTE
The patch might become applicable to other versions with new Quality Patches Tool releases. To check if the patch is compatible with your Adobe Commerce version, update the magento/quality-patches package to the latest version and check the compatibility on the Quality Patches Tool: Search for patches page. Use the patch ID as a search keyword to locate the patch.

Issue

The Password Options configuration isn’t applied for customer password reset requests made through GraphQL mutations.

Steps to reproduce:

  1. Check and confirm the customer password options in
    Store > Configurations > Customers > Customer Configuration > Password Options.
  2. Send a password reset email using the requestPasswordResetEmail GraphQL mutation.
  3. Reset the password using the resetPassword GraphQL mutation using the token from the sent email.
  4. Repeat the same steps to reset the password multiple times.

Expected results:

The customer password resets triggered via GraphQL behaves the same way as web-based password resets and honors Admin configuration settings.

Actual results:

Password reset requests made through GraphQL can be triggered an unlimited number of times and don’t enforce the limits defined in the Admin customer password configuration.

Apply the patch

To apply individual patches, use the following links depending on your deployment method:

To learn more about Quality Patches Tool, refer to:

recommendation-more-help
c2d96e17-5179-455c-ad3a-e1697bb4e8c3