Adobe has released a security update, APSB26-05 (March 10, 2026), for Adobe Commerce and Magento Open Source. This update resolves multiple critical, important, and moderate vulnerabilities, that could potentially allow attackers to bypass security features, escalate privileges, execute arbitrary code, or access sensitive files. If successfully exploited, these vulnerabilities could result in service disruption, unauthorized system access, or compromise of sensitive data. Adobe strongly recommends that merchants running affected versions apply the latest patches as soon as possible to protect their stores and infrastructure.
Affected Versions
The affected versions include various iterations of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. Users of versions before the following are urged to take immediate action:
- Adobe Commerce: ≤ 2.4.9-alpha3, ≤ 2.4.8-p3, ≤ 2.4.7-p8, ≤ 2.4.6-p13, ≤ 2.4.5-p15, ≤ 2.4.4-p16
- Adobe Commerce B2B: ≤ 1.5.3-alpha3, ≤ 1.5.2-p3, ≤ 1.4.2-p8, ≤ 1.3.5-p13, ≤ 1.3.4-p15, ≤ 1.3.3-p16
- Magento Open Source: ≤ 2.4.9-alpha3, ≤ 2.4.8-p3, ≤ 2.4.7-p8, ≤ 2.4.6-p13, ≤ 2.4.5-p15
Solution
Adobe has provided updated versions for both Adobe Commerce and Magento Open Source to address these vulnerabilities. Adobe strongly urges users of affected versions to update immediately to the latest patch release to ensure continued security. After applying the patch, Adobe Commerce B2B users should also update to the latest compatible B2B patch.
Detailed installation instructions are available on Adobe’s website.
Why This Matters
These vulnerabilities pose significant risks for Magento and Adobe Commerce websites, particularly those running outdated versions of the platform.
- Attackers could bypass security controls and gain unauthorized access to the system.
- Some vulnerabilities could enable privilege escalation or remote code execution, allowing attackers to manipulate the application environment.
- Certain issues may allow unauthorized file system access or application denial-of-service, impacting the availability and integrity of the store.
- Adobe has categorized several vulnerabilities as critical or important, indicating a high security risk if left unpatched.
- Public disclosure of vulnerabilities often increases the likelihood of attacks once technical details become widely known, despite no reported active exploitation.
Keeping your Magento/Adobe Commerce installation updated is essential to maintaining the security, stability, and reliability of your eCommerce platform.
Vulnerability Details
The Adobe Security Bulletin APSB26-05 addresses multiple security vulnerabilities affecting Adobe Commerce and Magento Open Source. These vulnerabilities include issues like getting around security measures, improper access controls, and flaws in the application that attackers could use to gain unauthorized access or carry out harmful actions on the affected systems.
Successful exploitation could lead to privilege escalation, arbitrary code execution, arbitrary file system read, or denial-of-service conditions, which may disrupt store operations or expose sensitive information. Depending on the system configuration, some vulnerabilities may necessitate authentication, while others could potentially exploit them with minimal privileges.
Adobe has released patched versions of Adobe Commerce and Magento Open Source to remediate these issues. While Adobe has stated that there are currently no known exploits in the wild, applying the latest security updates is strongly recommended to prevent possible attacks and maintain the integrity of the platform.
You can find detailed information here: Adobe Security Bulletin APSB26-05.
