Adobe Commerce Security Patches — What Changes vs What Stays

Adobe Commerce security patches follow a fixed quarterly cadence (the Adobe Product Security Incident Response APSB bulletin)^[1] that ships a tar-ball of vendor/magento/* module changes against Adobe Commerce and Magento Open Source 2.4.4 — 2.4.9. Not every patch deserves the same regression budget. After applying every Magento security patch released since 2.4.4 across kishansavaliya.com client projects, four recurring patch shapes emerge — each touching a different surface area of the codebase and demanding a different test suite. Below is the categorization, the modules each shape touches, the tests to re-run, the typical ETA, and the composer show recipe to pre-detect impact before the window opens.

Every Adobe security patch fits one of four shapes — the shape determines the regression budget

Adobe does not publish a patch taxonomy. They ship a CVE list, a list of affected versions, and a tar-ball^[2]. Teams that treat every patch as "needs a full regression sprint" burn 40+ hours a quarter and still miss real regressions. Teams that treat every patch as "safe to apply blind" eventually ship a payment gateway outage. The middle path is shape-based regression — categorize the patch in 15 minutes, size the window from a table, and skip the noise.

The CVE number tells you what Adobe fixed. The shape tells you what you need to retest.

The four shapes below cover every Magento security patch shipped between Q2 2024 and Q1 2026. The shape is determined by the vendor/magento namespace the patch lands in — not by the CVE severity score. A CVSS 9.1 Admin-UI XSS is still a 2-hour patch on most stores; a CVSS 6.3 payment-validation tweak can eat a week.

Shape 1: Admin-UI XSS — safe to apply blind on most stores

The most common patch shape. Adobe finds a stored or reflected XSS in an admin-only template — order grid filter, customer attribute, CMS page editor, system configuration field. The fix lands in vendor/magento/module-backend, vendor/magento/module-ui, or one of the module-*-admin-ui family. Customer-facing surface area: zero.

Modules typically changed

• magento/module-backend
• magento/module-ui
• magento/module-cms (admin templates only)
• magento/module-catalog-admin-ui
• magento/module-customer-admin-ui

Tests to re-run

• Admin login on a non-admin user (RBAC sanity).
• Admin grid filtering on orders, customers, products.
• System > Configuration save round-trip.
• CMS Page editor save with WYSIWYG enabled.

Typical ETA

~2 hours on a stock store, ~4 hours if you have heavily customized admin grids (Amasty Admin Actions Log, ShopGo Admin Activity Log).

Patch hint

composer show -i 'magento/*' | grep -E '(backend|admin-ui)'
# If the patch tar-ball only touches these modules → Shape 1.

Shape 2: Sales\Order\Payment input validation — re-test every payment gateway

The expensive shape. Adobe patches an input-validation bug in Magento\Sales\Model\Order\Payment or in one of the module-payment-* base classes. Every third-party payment extension (Stripe, Adyen, Braintree, Klarna, Mollie, PayPal Plus) inherits from these classes — and the patch often changes a method signature or a sanitization regex that downstream extensions silently rely on.

Modules typically changed

• magento/module-sales
• magento/module-payment
• magento/module-paypal
• magento/module-authorizenet-acceptjs
• magento/module-braintree
• magento/framework (occasional, when the fix is in Magento\Framework\App\RequestInterface)

Tests to re-run

Every payment method that is enabled on production — not just the default one. The CSV of payment-extension-specific regressions we have shipped against this shape:

  Payment method        Last regression we caught
- Stripe Elements       client-secret double-encoding (APSB23-50)
- Adyen Drop-in         3DS challenge URL stripped (APSB24-03)
- Braintree Hosted      device-data nonce truncated (APSB24-40)
- Klarna Payments       order_id missing from session (APSB25-14)
+ PayPal Express        no regression observed in 2.4.4 — 2.4.9

Typical ETA

~12 hours on a store with one payment gateway, scaling to 16–24 hours if you run 3+ gateways in parallel (common on multi-country stores).

Patch hint

composer show -i 'magento/*' | grep -E '(sales|payment|paypal|braintree|authorizenet)'
# Plus all third-party payment extensions:
composer show -i | grep -iE '(stripe|adyen|klarna|mollie|worldpay|amazon-pay)'

Shape 3: Adobe IMS / AdminAdobeIms — re-test SSO and 2FA

Adobe Commerce-only (does not ship on Magento Open Source). The magento/module-admin-adobe-ims family handles the Adobe IMS single sign-on flow that lets merchants log into the admin via their adobe.com account, plus the magento/module-two-factor-auth integration with Google Authenticator and Duo.

Modules typically changed

• magento/module-admin-adobe-ims
• magento/module-admin-adobe-ims-api
• magento/module-two-factor-auth
• magento/module-security

Tests to re-run

• Adobe IMS SSO login → admin dashboard reaches load.
• 2FA enrollment for a fresh admin user (Google Authenticator or Duo).
• 2FA challenge on existing admin user re-login.
• Admin password reset flow (sometimes hooks the same security module).

Typical ETA

~6 hours if you run Adobe IMS on production; ~1 hour if you do not (just run the 2FA smoke test). Open Source stores can skip this shape entirely.

Patch hint

composer show -i 'magento/*' | grep -E '(adobe-ims|two-factor-auth)'

Shape 4: Catalog / Search GraphQL — re-test PWA and headless

The shape most often missed by Magento teams that own only the backend. Adobe patches a GraphQL resolver in module-catalog-graph-ql, module-search-graph-ql, or module-quote-graph-ql — and the patch changes the field nullability, the response shape, or the available filter arguments. PWA Studio, Hyvä React companion, and Next.js Commerce storefronts crash on first request.

Modules typically changed

• magento/module-catalog-graph-ql
• magento/module-search-graph-ql
• magento/module-quote-graph-ql
• magento/module-customer-graph-ql
• magento/module-store-graph-ql

Tests to re-run

• Run the headless storefront's full GraphQL query suite against the patched backend.
• Re-generate Apollo / urql / codegen types — diff the schema for breaking changes.
• PDP load → variant switch → add-to-cart → mini-cart refresh end-to-end.
• Search autocomplete and search results page.

Typical ETA

~10 hours if you run one headless storefront; ~16 hours if you run a PWA Studio storefront and a Hyvä React companion in parallel.

Patch hint

composer show -i 'magento/*' | grep 'graph-ql'

The patch-shape matrix at a glance

The four shapes mapped to modules, tests, and ETA — pin this table on the upgrade window's Slack channel so the merchant sees the regression budget before they sign the change request.

The pre-detection recipe — read the patch in 15 minutes

When the next APSB bulletin drops^[3], Adobe ships a CSV of affected modules. Translate it to a shape in three commands:

# 1. Pull the patch's list of changed modules from the APSB bulletin.
curl -s https://helpx.adobe.com/security/products/magento/apsb26-XX.html \
  | grep -oE 'magento/module-[a-z-]+' | sort -u > /tmp/patch-modules.txt

# 2. Diff against what your store actually has installed.
composer show -i 'magento/*' --format=json \
  | jq -r '.installed[].name' > /tmp/installed-modules.txt

# 3. The intersection is the exact set of modules the patch will touch on your store.
comm -12 /tmp/patch-modules.txt /tmp/installed-modules.txt

Read the output. If it contains graph-ql, Shape 4. If it contains sales or payment, Shape 2. If it contains adobe-ims or two-factor-auth, Shape 3. Otherwise Shape 1. Schedule the window accordingly.

The composer patch workflow we apply per shape

Magento's official guidance is to apply security patches via the Magento Composer Plugin^[4]. The workflow differs per shape only at the smoke-test step.

Apply

composer require magento/magento-cloud-patches:^1.1 --no-update
composer require magento/quality-patches:^1.1 --no-update
composer update --with-all-dependencies
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento setup:static-content:deploy -f
bin/magento cache:flush

Verify

composer show -i 'magento/*' | grep -E '$(cat /tmp/patch-modules.txt)'
# Every entry should show the patched version.

Smoke test (per shape)

Use the test list from the corresponding shape section above. Do not run the "full regression" — it adds 6 hours and catches nothing the shape-specific suite missed.

A patch you cannot rollback in five minutes is a patch you should not apply on a Friday.

Rollback plan that survives a Friday push

Same plan we use for full upgrades. Before applying any security patch:

TAG="pre-patch-$(date +%Y%m%d-%H%M)"
git tag -a "$TAG" -m "Snapshot before security patch APSB26-XX"
tar -czf "backups/vendor-$TAG.tar.gz" vendor composer.lock
mysqldump --single-transaction --no-tablespaces \
  -u root -p"$DB_PASS" magento > "backups/db-$TAG.sql"

Rollback if the smoke test fails:

git checkout pre-patch-20260520-1040
tar -xzf backups/vendor-pre-patch-20260520-1040.tar.gz
bin/magento cache:flush
bin/magento setup:di:compile

Rollback time: 4–6 minutes on a stock store. We have triggered this twice in the last year — both times on Shape 2 (payment gateway regression).

What this post is not

This is not a CVE-by-CVE walkthrough. The Adobe Security Bulletins^[5] already do that. This is the recurring shape under each quarterly patch so you can size the window before Adobe publishes the bulletin. Next quarter's patch will fit one of these four shapes; the shape determines whether the window is a 2-hour Monday morning or a 16-hour weekend sprint.

Quarterly cadence — what to expect next

Adobe publishes the security calendar at the start of each fiscal year. The cadence since 2.4.4 has been remarkably consistent:

• February APSB — typically Shape 1 + Shape 4 (XSS + GraphQL).
• May APSB — often Shape 2 (payment validation, post-PCI audit cycle).
• August APSB — often Shape 3 + Shape 1 (IMS hardening + XSS).
• November APSB — biggest quarter, usually all four shapes combined.

Block the November window two months early. Black Friday is non-negotiable; a botched November patch eats the merchant's biggest sales week.

bin/magento dev:graphql:export-schema > schema-pre.graphql
# apply patch
bin/magento dev:graphql:export-schema > schema-post.graphql
diff schema-pre.graphql schema-post.graphql

Related reading

• Magento 2.4.9 upgrade issues — the 5 universal traps
• Magento slow checkout — the 3 actual fixes
• Magento upgrade service

Citations

1. Adobe Security Bulletins — Magento product page (helpx.adobe.com/security/products/magento.html)
2. Adobe Commerce security patches overview — Experience League
3. Adobe Product Security Incident Response (PSIRT) bulletin index
4. Magento Quality Patches Tool — Experience League
5. Adobe Security Bulletin index — Magento
6. PCI DSS 4.0 — Requirement 6.3.3 critical patch timeline
7. Adobe Commerce software lifecycle policy