Magento Open Source 2.4.9-beta1 landed on 10 March 2026 — and it's not a routine patch. Three foundational frameworks replaced. MySQL 8.0 dropped. Redis out, Valkey in. A new WYSIWYG editor. 560+ bug fixes. And 17 security CVEs patched in one go.
If you run or advise Magento stores, here's everything you need to know — well before General Availability in May 2026.
Release Timeline
Magento 2.4.9 has been in development since mid-2025. Where we are now:
What's New in Magento 2.4.9-Beta1
1. Three Core Frameworks Replaced
Three foundational components have been swapped out — either end-of-life or licensing conflicts:
Any extension hooking into Laminas MVC or TinyMCE JavaScript APIs will need updates before GA. If you're planning a front-end overhaul alongside the upgrade, our Magento 2 development services cover both upgrade management and Hyva theme migration. HugeRTE is an MIT-licensed fork of TinyMCE with basic API compatibility. All Symfony dependencies now target Symfony 7.4 LTS.
2. Security — APSB26-05 (Don't Wait for 2.4.9)
Adobe released APSB26-05 alongside Beta1, patching 17 CVEs across all supported versions:
APSB26-05 Severity Breakdown
- 7 Critical — arbitrary code execution and privilege escalation
- 9 Important — various injection and access control issues
- 1 Moderate — lower severity disclosure issue
Patched versions available now (check APSB26-05 on Adobe's security bulletin for the full CVE list):
You do not need to wait for Magento 2.4.9 GA to address these security issues. Apply the patch for your current version now — 7 critical CVEs is not something to defer to next quarter.
Additional security improvements in Beta1:
- CAPTCHA enforced on REST and GraphQL account creation endpoints
- Simplified 2FA — admins configure one provider, not all
- GraphQL alias limit of 10 per request — prevents resource exhaustion (see NIST NVD for full CVE details)
- OAuth library replaced with native PHP OAuth functions
- JWT framework updated to latest major version
3. Payment & Shipping Upgrades
- Apple Pay now works on Chrome and Firefox — not Safari-only
- Google Pay & Apple Pay accept promotional codes in express checkout
- PayPal Express adds server-side shipping callbacks with real-time cost calculation
- New payment methods: BLIK (Poland), Pay Upon Invoice (Germany), ELO cards (Brazil)
- Real-Time Account Updater: vaulted card details refresh automatically when reissued
- USPS migrated to RESTful APIs with OAuth 2.0 (legacy XML API retired January 2026)
- DHL now supports MyDHL RESTful APIs alongside legacy XML
4. ActiveMQ Artemis Support
Apache ActiveMQ Artemis 2 is now a supported message broker alongside RabbitMQ 4.1. Merchants have a second production-grade option for async processing. ActiveMQ uses STOMP protocol; RabbitMQ uses AMQP.
5. 560+ Bug Fixes
- API validation: malformed requests return 400 instead of 500 errors
- Checkout handling for special characters in customer data
- Configurable product option persistence
- URL rewrite reliability improvements
- Bulk async endpoint performance restored (degraded by APSB25-08 — now fixed)
- Product gallery inheritance in REST API at store view level
System Requirements — What's Changing
Was: 8.3, 8.4 → Now: 8.3, 8.4, 8.5
PHP 8.2 removed — upgrade if needed
Was: 8.0, 8.4 → Now: 8.4 LTS only
Must upgrade from MySQL 8.0
Was: 10.6, 11.4 → Now: 11.4 only
Must upgrade from 10.6
Was: Redis 7.2 → Now: Valkey 8.x
Migrate from Redis to Valkey
Was: 2.x → Now: 3.x (2.x compat)
Plan migration from OpenSearch 2.x
Was: 3.13 → Now: 4.1
Protocol changes — reconfiguration may be needed
Nginx → 1.28 | Varnish → 7.7
Update both web server components
Why Upgrade — And When
Version Support Status
- 2.4.8 — Current stable. Support ends April 2028. Apply -p4 now.
- 2.4.7 — Supported to April 2027. Apply -p9 now.
- 2.4.6 — Nearing end of line. Plan upgrade to 2.4.8.
- 2.4.4 / 2.4.5 — End of life. Upgrade urgently.
- 2.3.x and below — Completely unsupported. Immediate risk.
Seven critical CVEs were just patched in APSB26-05. Those vulnerabilities exist in unpatched stores right now. Staying on an unsupported version is not a question of when — it's a question of what's already happened. Beyond security, outdated Magento stores typically suffer Core Web Vitals degradation — a direct ranking factor Google weighs heavily for ecommerce.
Running an unsupported Magento version? We can assess your upgrade path and handle the migration — no lock-in, no agency overhead.
Talk to PalMultimedia →Step-by-Step Upgrade Guide
Pre-Upgrade Checklist
- Full database backup taken
- Full filesystem backup taken
- All extensions audited for 2.4.9 compatibility
- Custom code reviewed for Laminas/TinyMCE dependencies
- PHP confirmed as 8.3, 8.4, or 8.5
- MySQL upgraded to 8.4 LTS or MariaDB to 11.4
- Redis replaced with Valkey 8.x
- Staging environment ready and tested
- Composer 2.9.3+ installed
- Maintenance window scheduled
Step 1 — Enable Maintenance Mode
php bin/magento maintenance:enableStep 2 — Back Up Everything
mysqldump -u [USER] -p [DB] > backup_YYYYMMDD.sql
tar -czf files_YYYYMMDD.tar.gz /path/to/magento/Step 3 — Update via Composer
composer require magento/product-community-edition 2.4.9 --no-update
composer update && composer installStep 4 — Run Magento Upgrade
rm -rf generated/code/* generated/metadata/*
php bin/magento setup:upgrade
php bin/magento setup:di:compile
php bin/magento setup:static-content:deploy -f
php bin/magento indexer:reindex
php bin/magento cache:flushStep 5 — Disable Maintenance Mode & Test
php bin/magento maintenance:disablePost-Upgrade Testing Checklist
- Homepage loads correctly
- Category and product pages rendering
- Add-to-cart and checkout flow working end-to-end
- Payment gateway(s) processing correctly
- Admin panel accessible and functional
- HugeRTE WYSIWYG editor working in Admin
- Search functionality operational
- All critical extensions tested
- Email sending confirmed
- Cron jobs running correctly
Extension Compatibility — What to Watch
Extensions using Laminas MVC classes directly
Must update before 2.4.9
Custom TinyMCE plugins / deep TinyMCE API integrations
Review for HugeRTE compatibility
Extensions using Redis for session/cache
Verify Valkey compatibility
Extensions requiring MySQL 8.0-specific features
Test against MySQL 8.4
Standard Magento extensions, no deep framework hooks
Test, likely fine
Frequently Asked Questions
Should I upgrade to Beta1 on my live store?
No. Beta releases are for staging only. Your production upgrade window opens when GA is released in mid-May 2026.
I'm on 2.4.7 — do I need to apply APSB26-05 now?
Yes. Apply 2.4.7-p9 immediately. 7 critical CVEs were just patched — don't wait for 2.4.9 GA.
What's Valkey and why is Redis being replaced?
Valkey is an open-source fork of Redis, created after Redis changed its licensing in 2024. It's drop-in compatible for most use cases. Magento 2.4.9 standardises on Valkey 8.x.
Is HugeRTE a downgrade from TinyMCE?
For most users, you won't notice a difference. HugeRTE maintains API compatibility. Complex custom TinyMCE plugins need review — simple content editing works as before.
I'm on Magento 2.4.4 — what should I do?
Upgrade now. 2.4.4 and 2.4.5 are end-of-life. Jump to 2.4.8 as the current stable release and plan for 2.4.9 when GA arrives.
Your Magento 2.4.9 Action Plan
What to do right now
- Apply APSB26-05 patches today — get the security patch for your current version
- Test Beta1 in staging — audit extensions and custom code now, not in May
- Plan infrastructure upgrades — MySQL 8.4, MariaDB 11.4, Valkey 8, PHP 8.3+
- Audit your extensions — particularly Laminas MVC or TinyMCE integrations
- Book your GA upgrade window — plan for May/June 2026
Magento 2.4.9 isn't just a patch — it's an architectural reset. The merchants who prepare now will have a smooth May upgrade. Those who wait and scramble will have a painful one.
Need expert help planning or executing your Magento 2.4.9 upgrade? PalMultimedia specialises in Magento upgrades and migrations for UK SMBs.
Get in touch →