Security update available for Adobe Commerce - APSB26-73

On July 14, 2026, Adobe released a regularly scheduled security update for Adobe Commerce and Magento Open Source. This update resolves critical, important, and moderate vulnerabilities. Successful exploitation of these vulnerabilities could lead to arbitrary code execution, security feature bypass, and privilege escalation. More information can be found in the Adobe Security Bulletin (APSB26-73) here.

Notes:

To help ensure that the remediation for the issues listed in the Adobe Security Bulletin (APSB26-73), can be applied as promptly as possible, Adobe has also released an Isolated patch that resolves the issues in the Adobe Security Bulletin (APSB26-73). This allows merchants to apply the fix in isolation with fewer risks of delay due to potential integration issues.

Please apply the latest security updates as soon as possible. If you fail to do so, you will be vulnerable to these security issues, and Adobe will have limited means to help remediate the issue further.

Please contact Support Services if you encounter any issues applying the security patch/Isolated patch.

Description description

Affected products and versions

Adobe Commerce on Cloud infrastructure, Adobe Commerce on-premises, and Magento Open Source:

  • 2.4.9
  • 2.4.8-p5 and earlier
  • 2.4.7-p10 and earlier
  • 2.4.6-p15 and earlier
  • 2.4.5-p17 and earlier
  • 2.4.4-p18 and earlier

Resolution resolution

For Adobe Commerce on Cloud, Adobe Commerce on-premises, and Magento Open Source software

Note: This issue is resolved by the latest cloud-patches update. Attempting to apply the Isolated patch when the fix is already in place from the cloud-patches update can cause installation failures.

To help resolve the vulnerability for the affected products and versions, you must apply the Isolated patch, depending on your Adobe Commerce/Magento Open Source version.

Isolated Patch Details

Use the following attached Isolated patches, depending on your Adobe Commerce/Magento Open Source version:

Note: To apply an Isolated security patch file, merchants must be on the latest security-only patch release (the latest -p version) for their supported release line, as Isolated security fixes are tested exclusively against that version. See the Patch release schedule for more information.

For version 2.4.9

For version 2.4.8-p5

For version 2.4.7-p10

For version 2.4.6-p15

For version 2.4.5-p17

Note: After clicking the patch file link below for 2.4.5-p17 in a browser, merchants will see a pop-up dialog box, where they should enter their Composer public key as the username, and their Private key as the password.

For version 2.4.4-p18

Note: After clicking the patch file link below for 2.4.4-p18 in a browser, merchants will see a pop-up dialog box, where they should enter their Composer public key as the username, and their Private key as the password.

How to apply the Isolated patch

Unzip the file and see How to apply a composer patch provided by Adobe in our support knowledge base for instructions.

For Adobe Commerce on Cloud merchants only - How to tell whether the Isolated patches have been applied

Considering that it isn’t possible to easily check if the issue was patched, you might want to check whether the Isolated patch has been successfully applied.

You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an example:

  1. Install the Quality Patches Tool.

  2. Run the command: vendor/bin/magento-patches -n status |grep "27015\|Status"

  3. You should see output similar to this, where VULN-27015 returns the Applied status:

    code language-none
    ║ Id    │ Title                                                   │ Category   │ Origin   │ Status      │ Details               ║
    ║ N/A   │ ../m2-hotfixes/VULN-27015-2.4.7_COMPOSER_patch.patch    │ Other      │ Local    │ Applied     │ Patch type: Custom    ║
    

Note:

Adobe is introducing a new tool with these security updates:

Since a monthly security release can include several patch files, use the Commerce Version Tool below to confirm your installation is fully patched.

Commerce Version Tool: This tool is for both Adobe Commerce on-premises and Adobe Commerce on Cloud infrastructure environments. A standalone executable included with each monthly Adobe Commerce security patch. It helps merchants to verify patch coverage by reporting which monthly security patches are installed, which are missing, and which CVEs the installation is protected against. Note that the Commerce Version Tool is only available after a merchant applies the CE (Community Edition) patch file. Note that Adobe Commerce security patches are non-cumulative and must be applied in sequence. Additional information is available here.

Security updates

Security updates available for Adobe Commerce:

recommendation-more-help
experience-cloud-kcs-help-kbarticles