Magento 2.4.9: What’s New and What Your Store Needs to Do Before May

Magento 2.4.9 releases on 12 May 2026. This is not a routine security patch. It is the biggest architectural change to the Magento codebase since version 2.4.4, and for store owners there are three things that matter most right now:

1. If you are on Magento 2.4.6, your support ends on 11 August 2026. That is 90 days away.
2. If you are on Magento 2.4.4 or 2.4.5, you are already past end of life and running without security patches.
3. Magento 2.4.9 introduces breaking framework changes that require careful preparation rather than a quick upgrade.

This guide explains what has changed in the new version of Magento, why it matters, and what your store should actually do about it.

Before getting into what 2.4.9 brings, it is worth mapping where things stand on the version calendar.

Magento 2.4.8-p4 (released 10 March 2026) is the current recommended production version. It runs on PHP 8.3 or 8.4, supports MariaDB 11.4 and MySQL 8.4, uses OpenSearch 2.19, and carries support through April 2028. If your store is on 2.4.8 and up to date on patches, you are in good shape and there is no urgency to rush onto 2.4.9 on day one. For a breakdown of earlier Magento releases and version history, you can review the details here: Magento 2.4.8 Release Guide

Magento 2.4.7 is still supported, though it reaches end of life in April 2027. Stores on 2.4.7 should plan their upgrade to 2.4.8 or 2.4.9 during 2026.

Magento 2.4.6 reaches end of life on 11 August 2026. After that date, Adobe releases no more security patches. Stores still on 2.4.6 after August will be running known, unpatched vulnerabilities. If your store is on 2.4.6, upgrading is not optional.

Magento 2.4.5 and 2.4.4 are already past end of life. If your store is on either of these versions, this is urgent and needs addressing now.

One of the most practically significant changes for 2026 is not a version number it is how Adobe now releases patches.

From January 2026, Adobe moved to monthly isolated security patches. The old quarterly cycle, where you waited up to three months for a critical security fix to be bundled into the next patch, is gone. Security vulnerabilities now receive patches as needed each month, with two larger aggregated patch bundles per year in May and November.

For store owners, this means two things:

First, critical security exposure windows are shorter. A vulnerability discovered in March no longer has to wait until June to receive a patch.

Second, patch management becomes a monthly discipline rather than a quarterly event. If you are managing patches yourself or relying on a developer to handle them reactively, that cadence has changed. Stores that treat security patching as a once-a-quarter task are no longer operating to Adobe’s recommended standard.

Our team currently manages patch cycles for over 100 live Magento stores on retainer. The shift to monthly isolated patches is something we have already absorbed into our maintenance process but if you do not have that kind of consistent oversight in place, now is the right time to address it.

Magento 2.4.9 is primarily an infrastructure release. The visible frontend changes are minimal. What has changed is the technical foundation the platform runs on, and several of those changes are significant enough to affect extensions, custom modules, and hosting environments.

Three Framework Components Replaced

The headline change in 2.4.9 is the replacement of three core framework components that have been part of Magento since its early 2.x days:

Laminas MVC replaced with native PHP MVC. Magento 2 was built on the Zend Framework, which became Laminas. Adobe has been removing Laminas dependencies across the 2.4.x line for several releases. In 2.4.9, the MVC layer itself has been replaced with native PHP. Any extension that directly extends Laminas controllers, routers, or request handlers will break on 2.4.9 without an update.

TinyMCE replaced with HugeRTE. The WYSIWYG editor used in the admin panel for product descriptions and CMS content blocks has been swapped. TinyMCE versions 5 and 6 reached end of support, and TinyMCE 7 introduced licensing changes that made it incompatible with Magento’s open-source licence. HugeRTE is the replacement open-source and actively maintained. Basic editor functionality is preserved, but extensions that customise TinyMCE’s toolbar or rely on its JavaScript API will need reviewing.

Zend_Cache replaced with Symfony Cache. The legacy caching layer has been replaced with Symfony Cache. Adobe reports that this change delivers 30 to 50% faster cache operations and reduced load on the Redis (or Valkey) backend. Extensions that hook into Zend_Cache classes directly will need updates.

These three changes together are why Magento 2.4.9 cannot be treated as a routine version bump. They are foundational, and they affect the extension ecosystem.

PHP 8.5 Support and What Gets Dropped

Magento 2.4.9 is the first version to add day-one support for PHP 8.5. PHP 8.4 remains the recommended production version. PHP 8.3 is supported for upgrade purposes only. PHP 8.2 is no longer supported at all.

If your store is running PHP 8.2, you need a PHP upgrade before you can move to 2.4.9.

PHP 8.5 brings meaningful performance improvements. Stores that move to 2.4.9 on PHP 8.5 will see genuine speed gains not marginal ones.

Database Requirements Change

Magento 2.4.9 drops support for MySQL 8.0 and MariaDB 10.6. The new minimum requirements are MySQL 8.4 LTS or MariaDB 11.4.

The timing here matters. MySQL 8.0 reached end of life in April 2026 two weeks before 2.4.9 GA. Stores still on MySQL 8.0 are running an unsupported database and need to migrate regardless of their Magento version.

A MySQL or MariaDB upgrade is not trivial. It involves testing schema compatibility, checking stored procedures, and validating replication configurations if your setup uses database replication. This is work that needs to happen in a staging environment before touching production.

OpenSearch Replaces Elasticsearch Entirely

If your store is still using Elasticsearch, Magento 2.4.9 completes the removal of Elasticsearch support that began in earlier releases. OpenSearch 3.x is now the required search engine for 2.4.9. OpenSearch 2.19 remains supported on 2.4.8.

OpenSearch 3.x introduces index format changes from version 2.x. Stores with large product catalogues may need to budget for reindexing time as part of the upgrade.

Valkey Replaces Redis as the Default Cache Backend

Redis changed its open-source licence in 2024, which prompted the creation of Valkey — a community fork of Redis maintained under an open-source licence. Adobe adopted Valkey in 2.4.8 and it becomes the recommended default in 2.4.9. Valkey 8 is wire-compatible with Redis, meaning the switch is operationally straightforward for most stores. Redis 7.2 may still work but is no longer in Adobe’s official system requirements for 2.4.9.

For store owners, this means your hosting provider needs to support Valkey 8 for a 2.4.9 upgrade. Most managed Magento hosting environments have already moved or are moving to Valkey.

Magento 2.4.9 adds several meaningful security enhancements beyond the March 2026 patch bundle:

CAPTCHA enforcement on APIs. When CAPTCHA is enabled for the customer registration form, the same protection now applies to REST and GraphQL account creation requests. This closes a gap that allowed bots to create accounts via API without triggering CAPTCHA.

Improved token authentication (JWT). The JSON Web Token system used for API integrations has been updated to improve security.

Native OAuth. The third-party OAuth library has been replaced with native PHP OAuth functions, removing a dependency and reducing the attack surface.

USPS shipping migration. The USPS integration has been updated from the legacy XML API to the new RESTful API with OAuth 2.0 authentication. The legacy USPS API was retired on 25 January 2026. Stores using USPS shipping on older Magento versions need this update.

500+ Bug Fixes

Magento 2.4.9 includes over 500 fixes in Magento Open Source and over 560 in Adobe Commerce. Notable among these: bulk operations (large catalogue updates, inventory syncs) run noticeably faster, API errors now return proper error codes instead of generic crashes, orders can no longer be created via API without a billing address (which previously caused admin dashboard crashes), and multiselect product attribute updates via REST API no longer overwrite store-specific labels.

Magento 2.4.9 includes expanded Braintree payment features:

• Braintree promotional codes now work with Google Pay and Apple Pay checkout flows
• New local payment method support has been added for specific markets

If your store processes payments through Braintree, test these in staging before upgrading.

This is the question most store owners actually want answered, and the honest answer depends on your situation.

If you are on Magento 2.4.8: Stay on 2.4.8 for now. Wait for 2.4.9-p1, which is expected 30 to 45 days after the May 12 GA release. The first patch after a major release is when extension vendors catch up, and it is when early-adoption edge cases get fixed. There is no security urgency to move on day one 2.4.8 is supported through April 2028.

If you are on Magento 2.4.7: Plan an upgrade to 2.4.8 in 2026. You can go directly from 2.4.7 to 2.4.9 once it stabilises, but the safer path is 2.4.8 first, then 2.4.9 after you have validated extension compatibility with the 2.4.9 framework changes.

If you are on Magento 2.4.6: You have until 11 August 2026. That is your hard deadline. Upgrade to 2.4.8 now rather than trying to move directly to 2.4.9 while it is still in early release. A 2.4.6 to 2.4.8 upgrade is well-tested and extension vendors have had time to confirm compatibility.

If you are on Magento 2.4.5 or 2.4.4: You are already past end of life. Every day without an upgrade is a day your store is running without security patches. Upgrading is urgent.

If you are on Magento 1: Magento 1 reached end of life in June 2020. Any store still on Magento 1 is carrying serious security risk and needs a migration plan immediately.

For stores planning to move to 2.4.9 once it stabilises, here is an honest assessment of the preparation involved.

Extension audit. Every extension that directly uses Laminas MVC, TinyMCE JavaScript APIs, or Zend_Cache classes needs to be reviewed for compatibility. Contact your extension vendors now and ask for their 2.4.9 compatibility timeline. Do not wait until after GA. Most vendors will publish compatibility information in the weeks following the May 12 release.

PHP upgrade. If your store is on PHP 8.2, you need to move to PHP 8.3, 8.4, or 8.5 before upgrading Magento. This is a server-level change that requires coordination with your hosting provider.

Database upgrade. If your store is on MySQL 8.0 or MariaDB 10.6, you need to migrate to MySQL 8.4 LTS or MariaDB 11.4. This is not a settings change — it involves migrating the database itself, which needs proper staging, testing, and a rollback plan.

OpenSearch upgrade. Stores on OpenSearch 2.x need to move to OpenSearch 3.x for 2.4.9 compatibility. For large catalogues, budget for reindexing time.

The upgrade command changed. In 2.4.9, the Composer command has changed from composer require magento/… to composer require-commerce magento/…. Older upgrade scripts need to be updated accordingly.

Staging environment testing. Given the scale of framework changes in 2.4.9, testing in a staging environment that mirrors production is not optional. Budget 7 to 14 days of staging testing if you have custom modules, and get your developers running the beta in staging now.

Magento 2.4.9 is best understood as Adobe systematically modernising the platform’s technical foundations. The removal of Laminas, the Zend_Cache replacement with Symfony Cache, and the move to native PHP MVC are not feature additions they are debt reduction, and they future-proof the platform against PHP version changes for years ahead.

Alongside version 2.4.9, Adobe has been building Adobe Commerce as a Cloud Service (ACCS), a multi-tenant SaaS version of Commerce launched in June 2025. ACCS represents Adobe’s direction for enterprise eCommerce managed infrastructure, faster feature delivery, and reduced operational overhead for large retailers. It is not the right fit for every business (deep customisation is constrained by the SaaS model), but it is the path Adobe is investing most heavily in.

For the majority of UK retailers on Magento Open Source or on-premises Adobe Commerce, the 2.4.x LTS line continues to be the appropriate platform. The framework modernisation in 2.4.9 ensures that Magento 2.4.x remains a credible choice through 2028 and beyond.

As an Adobe Commerce Certified agency that currently supports over 100 live Magento stores, our recommendation is straightforward:

Check your current version today. If you are on 2.4.6 or earlier, the upgrade timeline is urgent and you need a plan now. If you are on 2.4.7, plan for 2.4.8 this year. If you are on 2.4.8, you are in good shape focus on extension compatibility testing against 2.4.9 beta in staging.

Do not upgrade production stores to 2.4.9-GA on day one. Wait for 2.4.9-p1 (expected June 2026), verify your extensions are compatible, and plan your upgrade for the window between June and September 2026.

Treat the new monthly patch cadence as a process change. If your current maintenance arrangement does not include monthly patch review, it needs updating. Running a Magento store on an outdated security patch is an increasing liability as the monthly cadence delivers fixes faster.

Get your hosting stack assessed. If your store is on PHP 8.2, MySQL 8.0, or MariaDB 10.6, you have infrastructure changes to make regardless of your Magento version.

If you need an assessment of where your store currently sits and what your upgrade path should look like, our certified team can carry out a Magento audit and give you a clear, honest recommendation. We have been doing this across 250+ Magento projects and the upgrade complexity varies significantly depending on how your store has been built and what extensions are in play.