Magento latest version: Key features you shouldn't miss

Magento Open Source 2.4.9 and Adobe Commerce 2.4.9 are now the official stable latest version (released May 12, 2026). This landmark update delivers PHP 8.5 support, replaces three core framework components, introduces over 560 fixes, and sets strict new infrastructure requirements that every merchant needs to plan for. While Magento Open Source 2.4.4 have reached end-of-life, 2.4.5 and 2.4.6 support ends in August 2026, making this post essential reading whether you're upgrading from an older version or planning your path to 2.4.9. Whether you're upgrading from an older version or planning your path to 2.4.9, this post breaks down everything that's changed, covers the updated support timeline, and shares On Tap's upgrade roadmap for your business success.

The latest version of Magento is 2.4.9, released on May 12, 2026. This Magento current version is the most architecturally significant update since Magento 2.0, introducing native PHP 8.5 support, replacing three foundational framework components (Laminas MVC, TinyMCE, and Zend_Cache/Redis), resolving over 560 issues in Adobe Commerce and 581 in Magento Open Source, and introducing strict new database requirements. In this post, you'll discover what's new in Magento 2.4.9, why acting now secures official support through 2029, and the essential steps to plan a friction-free rollout.

What makes 2.4.9 different? Three aging core components have been fully replaced with next-generation alternatives. Laminas MVC has been replaced by a native PHP MVC implementation to ensure long-term compatibility beyond PHP 8.5. TinyMCE - whose v5 and v6 reached end-of-life and v7 introduced licensing incompatibilities - has been replaced by HugeRTE, an open-source alternative. Zend_Cache has been replaced by the Symfony Cache component for better performance and maintainability. On top of these, Apache ActiveMQ Artemis is now Adobe's recommended long-term message broker. These changes future-proof the platform but mean extension compatibility testing is more critical than ever before upgrading.

Alongside the 2.4.9 GA release, Adobe published security bulletin APSB26-49 (12 May 2026), resolving critical, important, and moderate vulnerabilities across all supported release lines, including risks of arbitrary code execution, arbitrary file system write, application denial-of-service, and security feature bypass.

• Platform and compatibility updates: Both platforms' latest versions now support PHP 8.4 and PHP 8.5. PHP 8.3 is supported for upgrade path purposes only - it is not recommended for new installations or long-term use. PHP 8.2 is no longer supported in 2.4.9. All Adobe-distributed extensions are compatible with these versions. In terms of databases, 2.4.9 now requires MySQL 8.4 LTS or MariaDB 11.4 LTS - support for MySQL 8.0 and MariaDB 10.6 has been dropped entirely.

• Security enhancements: This release includes numerous security patches and improvements to keep your store safe. Adobe has resolved several known vulnerabilities (rated Important/Moderate) that could lead to unauthorised access or privilege escalation. A notable addition in both is the implementation of Subresource Integrity (SRI), which verifies the integrity of loaded resources, helping to prevent the injection of malicious scripts.

• Performance improvements: Caching mechanisms and catalogue rule indexing have been optimised to reduce server load and accelerate page rendering. Database query performance is also improved by taking advantage of the latest MySQL 8.4 optimisations. Merchants using MariaDB will see improvements when moving to the 11.4 LTS version, which Magento 2.4.8 fully supports​.

• Expanded GraphQL & API capabilities: The GraphQL API has been extended to support more storefront scenarios and headless implementations. New GraphQL features include support for custom scalar data types, multi-field product sorting, enhanced cart and checkout queries, and more comprehensive coverage of store configurations​. These changes pave the way for smoother PWA and Adobe Commerce Edge storefront integrations.

• Admin & user experience improvements: Magento 2.4.8 modernises the back-end and front-end experience. The admin content editor has been upgraded (TinyMCE v6+ replacing v5) and outdated libraries like the old file uploader and tree controls have been replaced with modern alternatives.

• Fixed issues: 581 issues have been resolved in Magento Open Source 2.4.9 and 560 in Adobe Commerce 2.4.9, covering checkout, payments, search, GraphQL, B2B workflows, catalog management, and the admin UI. Notable fixes include correcting GraphQL discount percentage display when catalog prices include tax, preventing duplicate product images across multi-store setups, and resolving race conditions during concurrent product save operations.

Adobe Commerce 2.4.9 brings a wide range of platform modernisation changes covering caching, message queues, framework components, and search engine integration.

• Cache and session storage: The release now includes support for Valkey 8.x, enhancing caching capabilities and overall platform performance.

• Message queue support: Support for RabbitMQ 4.x has been added, with a requirement for merchants to migrate from classic mirrored queues to quorum queues, which provide high availability by replicating data across multiple nodes, since classic queues are unsupported in RabbitMQ 4.

• Components and dependencies: Numerous third-party components, such as Composer, jQuery, TinyMCE, Monolog, Uppy, and Varnish, have been updated to their latest stable versions to improve platform stability and performance. Outdated components like TinyMCE 5 have been removed, and Laminas dependencies have been replaced with modern alternatives or native PHP solutions.

• Search engine transition: Adobe Commerce 2.4.8 is now optimised for OpenSearch 2.19, with support for Elasticsearch 7 and 8 modules deprecated and removed. The admin panel displays warnings when Elasticsearch is selected as the search engine, strongly recommending migration to OpenSearch to ensure continued support and compatibility.

• Technology stack: Adobe updated a swath of third-party libraries and core components to their latest versions, bolstering overall platform stability. For example, Magento now uses Composer 2.8 for dependency management, PHPUnit 10 for testing, and upgraded JavaScript libraries like jQuery/Bootstrap 5.3.3 and Moment.js 2.30 for a more secure and efficient codebase.

Security remains a top priority for Adobe Commerce, and version 2.4.8 includes multiple security enhancements and patch updates. These updates address vulnerabilities and strengthen the platform against emerging threats, helping protect your store and your customers’ data.

Adobe Commerce 2.4.8 introduces significant security advances centred around authentication, encryption, and data integrity. The Duo Security two-factor authentication (2FA) implementation has been updated to use the latest Web SDK v4, facilitating a seamless transition to Duo Universal Prompt. Encryption key management has been redesigned to improve usability and eliminate past limitations, introducing new CLI commands for key changes and re-encryption of sensitive data. These improvements collectively strengthen the security posture of Magento stores.

Adobe Commerce and Magento Open Source security patches now follow a monthly release schedule starting from 2026, providing faster vulnerability responses through 2.4.8's support window. The latest Adobe Commerce/Magento Open Source 2.4.8-p4 and B2B v1.5.3-beta1, released March 10, 2026, deliver critical fixes via Adobe Security Bulletin APSB26-05 - the first under this accelerated cadence.

Key fixes in 2.4.8-p4/APSB26-05

• Critical severity

  • Incorrect Authorisation (CWE-863): Security feature bypass allowing arbitrary data access (CVE-2026-21289, CVE-2026-21309, CVSS 7.5).

  • Stored XSS (CWE-79) Privilege escalation via malicious scripts (CVE-2026-21361, CVE-2026-21284, CVE-2026-21290, CVSS 8.1-8.7).

• Important severity

  • Incorrect Authorisation (CWE-863): Multiple bypasses (CVE-2026-21285, CVE-2026-21286, CVSS 4.3-5.3).

  • Stored XSS (CWE-79): Arbitrary code execution risks (CVE-2026-21291, CVE-2026-21292, CVSS 4.8-5.4).

  • SSRF (CWE-918): Arbitrary file read & bypass (CVE-2026-21293, CVE-2026-21294, CVSS 5.5).

  • Path Traversal (CWE-22): Security feature bypass (CVE-2026-21360, CVSS 6.8).

  • Improper Input Validation (CWE-20): DoS & bypass (CVE-2026-21282, CVE-2026-21310, CVSS 5.3).

• Moderate severity

  • Open Redirect (CWE-601): Security feature bypass (CVE-2026-21295, CVSS 3.1).

  • Incorrect Authorisation (CWE-863): Low-impact bypasses (CVE-2026-21296, CVE-2026-21297, CVSS 3.5).

Adobe Commerce 2.4.8 introduces optimisations that improve overall site responsiveness. The release focuses on improving indexing and product price updates. By default, all indexers are now set to Update by Schedule mode during new installations or upgrades. This ensures that expensive indexing operations (rebuilding search indexes, product price indices, etc.) are run via cron schedules rather than immediately on every update, which reduces lag during admin product saves and checkout updates. By having indexers in the recommended scheduled mode by default, Adobe Commerce 2.4.8 improves system throughput and prevents performance bottlenecks out of the box​.

Apart from that, the platform has improved the efficiency of bulk updates for tier prices through the /V1/products/tier-prices REST API endpoint. This enhancement prevents performance degradation and site unresponsiveness that could occur when updating large volumes of product prices, ensuring smoother and more reliable price management for merchants. These updates contribute to a faster, more stable, and scalable platform experience.

Adobe Commerce 2.4.8 delivers key quality enhancements that improve system reliability and user experience. One notable update addresses an important issue in inventory management: the platform now operates without the previously hidden dependency on Catalog caused by the InventoryIndexer. This fix ensures that critical functions such as product creation, display mode switching, and stock status updates work consistently and as expected, eliminating synchronisation inconsistencies caused by mismatched entities. 

What’s more, to enhance usability and reduce confusion, the label of the Submit Comment button on the order detail page has been changed to Update, providing clearer communication for users managing order comments. These quality improvements contribute to a smoother, more intuitive experience for both merchants and customers.

Adobe Commerce version 2.4.8 includes several GraphQL refinements aimed at improving the precision of data retrieval and enhancing user experience. Key GraphQL updates include:

• Cart and checkout: New fields have been added to the CartItemPrices type to support more accurate pricing and discount calculations. The checkout process now displays only the "Free" payment method when the order total is zero, reducing shopper confusion. Additionally, the grand_total_excluding_tax field was added to the CartPrices type, and GraphQL support now includes cart rule information accessible via new configurations and queries.

• Customer and customer groups: Error handling in the generateCustomerToken mutation now provides specific error messages for unconfirmed emails, aiding user guidance. New queries such as customerSegments and customerGroup have been introduced to enhance personalisation and segment information, complemented by store configurations for managing customer groups. The customer query now includes a paginated customer.addressesV2 field for address management.

• Orders: Order-related GraphQL functionality has been significantly improved with enhanced error messages that show available inventory during order updates. Order management has been streamlined with features like merging guest orders to customer accounts based on email. New mutations like confirmCancelOrder enable guest shoppers to cancel orders, and queries have been updated to improve data consistency and user experience. 

• Gift options and gift cards: Gift options related to wrapping and printed cards have been enriched with accurate tax displays and additional price objects in the products query, as well as gift message handling for virtual products. 

• Security: This has been enhanced by providing a theme field for reCAPTCHA configuration and ensuring 401 Unauthorized responses for requests with expired tokens. 

These upgrades improve the efficiency and accuracy of data management through GraphQL, providing a better overall experience for developers and users alike.

582 issues have been resolved in the Adobe Commerce version 2.4.8 core code.

• APIs: Fixed async operation failures when the SKU was missing from the payload, resolved issues with updating base prices using the REST API, ensuring correct increment ID handling. 
• Analytics/ Reporting: Problems with Google Analytics tracking, which caused errors for users in Europe, have been resolved, ensuring accurate data collection for website traffic. Reporting has been improved with faster generation of sales reports, correct currency symbols, and accurate calculations in coupon usage reports. Checkout is now more seamless, with fewer clicks required for PayPal and Google Pay express payments. 
• B2B: Products assigned to shared catalog via REST API are now immediately visible on storefront after partial indexing is complete. The version update also prevents restricted categories and their content from being displayed on the storefront while catalogue permissions indexing is being performed. Other issues related to button or price display have also been tackled.

Learn more: For detailed information on Adobe Commerce 2.4.8 updates, visit Adobe Experience League.

Magento Open Source 2.4.8 brings a host of valuable updates designed to improve the shopping experience, streamline operations, and enhance overall platform security. Key updates include framework, APIs and security advancements, and bug fixes.

Magento Open Source 2.4.8 introduces several framework enhancements designed to improve stability, performance, and compatibility. Core Composer dependencies, including league/flysystem, php-amqplib/php-amqplib, monolog/monolog, wikimedia/less.php, jquery/validate, and moment.js, have been updated to their latest versions. 

The jQuery file uploader was replaced with the Uppy library, and the ExtJS folder was removed as functionality migrated to jsTree. Database compatibility has been expanded to include MySQL 8.4 LTS and MariaDB 11.4 LTS.

• REST API: Resolved several issues related to special characters in category URLs, SKU with slashes, and improved error handling for asynchronous product saves.
• GraphQL API: Fixes related to integer values when executing a GraphQL query.
• Tier Price API: Improved efficiency of bulk updates to tier prices via the REST API to prevent performance issues and site unresponsiveness.

This release addresses 497 issues, reflecting a significant commitment to improving the platform's stability and functionality. Notable fixes include correcting the application logic for coupon codes in the cart, ensuring proper handling of product images with capital letter file extensions, and addressing errors in customer address forms when the region field is not displayed. Additionally, the update also resolves a Content Security Policy (CSP) issue that blocked PayPal Paylater fonts, ensuring proper display.

Learn more: Magento Open Source 2.4.8 release notes.

Magento 2.4.9 is now generally available, but as the first release under Adobe's new annual cadence - and a major .0 release with three framework component replacements - it carries a higher compatibility risk than a standard patch release. Here's how to think about your timing:

• If you're on 2.4.6: The August 2026 end-of-life deadline makes upgrading urgent. Moving to 2.4.8 now is a safe stepping stone that keeps you protected while you plan for 2.4.9.

• If you're on 2.4.7 or 2.4.8: You're in a good position to wait for 2.4.9-p1 (expected November 2026) before upgrading production. Use the time to test extensions and prepare your infrastructure (PHP 8.4/8.5, MySQL 8.4 or MariaDB 11.4).

• For all merchants: Begin extension compatibility auditing now. Extensions using TinyMCE APIs, Laminas MVC components, or Zend_Cache will need vendor updates before you can upgrade.

• Check your database version: MySQL 8.0 and MariaDB 10.6 are dropped in 2.4.9. This is a non-negotiable infrastructure change that requires separate planning.

We recommend that all Magento merchants plan their upgrade to version 2.4.9 as part of a broader strategy to optimise their eCommerce environment. Because 2.4.9 replaces three core framework components, planning is more involved than a typical minor release. Here are the essential steps:

• Upgrade PHP to 8.4 or 8.5: Magento 2.4.9 does not support PHP 8.2. PHP 8.3 is permitted as an upgrade-path-only version but is not recommended for production. Confirm your hosting environment supports PHP 8.4 or 8.5 before beginning.

• Upgrade your database: MySQL 8.0 and MariaDB 10.6 are no longer supported. You must be running MySQL 8.4 LTS or MariaDB 11.4 LTS. Note that MySQL 8.4 introduces stricter foreign key validation - test your schema ahead of time.

• Migrate to OpenSearch 2.19 or 3: Elasticsearch support has been removed. Sites using Elasticsearch must complete migration to OpenSearch before upgrading. OpenSearch 3 is supported in 2.4.9.

• Audit your extensions for HugeRTE, Laminas MVC, and Symfony Cache compatibility: Any extensions using TinyMCE APIs, Laminas MVC components, or Zend_Cache will need updates. Contact your extension vendors for explicit 2.4.9 compatibility confirmation before upgrading.

• Evaluate your message queue setup: If using RabbitMQ, confirm that RabbitMQ 4.2 is in place and begin planning your longer-term migration to Apache ActiveMQ Artemis.

  Back up your store: Always perform a full backup before upgrading to prevent data loss.

• Test in a staging environment: Validate the upgrade on a staging site first to identify and address any compatibility issues with your themes or integrations. Given the extent of framework changes in 2.4.9, staging testing is especially critical.

• Consider waiting for 2.4.9-p1: As a .0 release, early adoption carries higher risk. Unless urgency requires it (e.g. you're on 2.4.6 and approaching the August 2026 deadline), waiting for the first security patch before upgrading production is prudent.

• Engage experienced developers: Work with certified Magento experts to ensure a seamless upgrade process and ongoing maintenance.

• Track performance post-launch: After the upgrade, monitor the website's performance to ensure there are no slowdowns or other issues.

Version 2.4.8 was first available as a beta version on October 8, 2024, followed by its official launch on April 8, 2025. Its patch release schedule is shown as follows:

From January 2026, Adobe shifted to a new release cadence: monthly isolated security patches (as needed), one major version per year (released in May), and aggregated security patches twice yearly (May and November). Each 2.4.x release carries a three-year support window from its GA date.

Here are the recent Adobe Commerce releases and their corresponding end-of-support dates to assist you in planning upgrades and ensuring continued stability and security for your eCommerce platform. 

Learn more: If you are unsure of the version you are using, consult our comprehensive guide on how to check Magento version.

Adobe's development roadmap does not stop at Magento 2.4.9. From 2026, Adobe operates a structured annual release cadence: one major version each May, monthly isolated security patches across all supported lines, and aggregated security patches in May and November. This means upgrades are now a recurring annual operational requirement - planned, predictable, and scoped around a fixed May timeline.

Magento 2.4.10 can be expected in May 2027, continuing the pattern of one major release per year. Security patches for the 2.4.9 line will be released monthly as needed, with the first aggregated patch bundle (2.4.9-p1) expected in July 2026.

Evergreen is designed to address this reality. As a free upgrade solution from On Tap, it delivers all future Magento minor releases, security patches, and hotfixes in line with platform’s release cycle at no additional cost. This keeps your store current and compatible over time while removing unpredictable upgrade projects, reducing long-term maintenance overhead, and lowering the risk of forced replatforming.

In general, the latest Magento version offers valuable improvements that help merchants strengthen security, boost performance, and streamline operations. Key updates in 2.4.9 include a completely modernised framework stack (native PHP MVC, HugeRTE, Symfony Cache with Valkey 8), enhanced GraphQL accuracy (including correct discount and tax display), simplified two-factor authentication configuration, USPS RESTful API migration, and comprehensive B2B improvements. Upgrading to this latest version is a smart move for businesses aiming to enhance their eCommerce capabilities and provide exceptional customer experiences.

Magento 2.4.9 is a highly recommended upgrade for all Magento Open Source and Adobe Commerce users who want to keep their stores secure, fast, and feature-rich. Merchants not ready to move to 2.4.9 immediately should ensure they are at least on 2.4.8 with the latest security patches applied, or must upgrade from 2.4.6 before August 2026. If you’re considering upgrading your Adobe Commerce/Magento Open Source store or adopting Adobe Commerce as a Cloud Service platform, On Tap - A certified Magento development agency is here to help. With our proven expertise and free Magento upgrades solution, we help merchants stay ahead of every Magento release with minimal effort and maximum stability.

Contact us today to discuss how we can support you in upgrading from your current Magento version and innovative solutions that can transform your online business.