github mage-os/mageos-magento2 3.2.0

latest release: 3.1.0
2 days ago

Released: 2026-07-14
Upstream: Magento Open Source 2.4.9

Mage-OS 3.2.0 is a security release. It applies Adobe's isolated security patch 249-2026-07-001 and fixes a lower-severity issue in the interactive installer, alongside a small set of bug fixes and add-on updates.

All users running Mage-OS 3.x should upgrade.

composer require mage-os/product-community-edition 3.2.0 --no-update
composer update

Security

Adobe isolated security patch 249-2026-07-001

Adobe distributes isolated patches out-of-band, separately from the quarterly release train — the content is not published to any Magento git tag or Composer package. Mage-OS 3.2.0 ports the patch to source, so you get it by upgrading rather than by applying a patch file by hand.

The patch addresses several distinct issues:

  • Guest cart takeover. The guest cart endpoints did not verify that a masked cart ID actually resolved to a guest cart, allowing a masked ID to be used to reach a logged-in customer's cart. All guest-facing entry points — cart, items, coupons, billing and shipping addresses, payment and shipping methods, totals, and gift messages — now validate cart ownership before acting. Quote address validation is also promoted from REST-only to all entry points, including GraphQL.
  • Stored cross-site scripting via inline translation. Translated content is now stripped of script, iframe, object, form, style and similar tags, along with on* event handlers, and external links are filtered out.
  • Template-injection sanitizer bypass. The UI component data sanitizer could be evaded by embedding a newline inside a ${...} payload. The sanitizer now matches across newlines.
  • Template injection via product data. Product gallery and product-view-counter data injected into JSON is no longer treated as an interpolatable template.
  • Disabled product disclosure via GraphQL. Disabled products could be surfaced through the CatalogUrlRewrite GraphQL URL resolver.
  • Customer address media hardening. The customer_address directory is removed from the allowed media resources, additional dangerous file extensions (hta, mhtml, mht, htc, xht, shtm, php8) are blocked, and nginx.conf.sample gains a deny all rule for /media/customer_address/.

Note on nginx.conf.sample: if you maintain your own nginx configuration rather than using the shipped sample, add the /media/customer_address/ deny rule yourself — upgrading will not change your live config.

Adobe's patch also ships a vendor/bin/patch-status tool, which reports installed-patch state to Adobe's registry using your repo.magento.com credentials. This tool is deliberately not included in Mage-OS. It has no source-tree equivalent, Mage-OS users have no repo.magento.com credentials, and none of the security fixes depend on it.

Interactive installer wrote a world-readable env.php backup (GHSA-rcp4-m32j-8fhj)

When the interactive installer was re-run over an existing installation, it backed up app/etc/env.php to a world-readable file without a .php extension, potentially exposing service credentials. The backup is now written with owner-only (0600) permissions and keeps a .php extension, so it cannot be served as raw plaintext.

This affects only the interactive installer's resume path, not bin/magento setup:install, and exposure additionally requires app/etc to sit inside the web root (the legacy root-as-docroot layout).

Severity: low (CWE-276). Reported by Volker Dusch (@edorian) of the PHP Ecosystem Security Team at The PHP Foundation, and fixed by @marcelmtz.


Fixes

  • Multi-store URL collision. The URL cache key now includes the scope ID, preventing URLs from colliding across stores. (#271 — Allan Fernandes)
  • GLOB_BRACE on non-GNU systems. Fixes glob handling on systems whose libc does not support GLOB_BRACE (Alpine/musl). (Ryan Hoerr)
  • Installer Redis cache backend. The installer now writes the redis backend type rather than Cm_Cache_Backend_Redis. (#281 — Marcel Martinez)
  • Integration tests support a Unix-socket db-host. (#285 — Jelle Besseling)

Bundled add-on updates

  • mage-os/module-rma 2.3.2 → 2.4.0 — adds an rma_commit_after event and refines RMA email dispatch; guest-form RMAs are now linked to the customer when the order has one; RMA lookup labels are localized in the resolver and emails; fixes a TypeError in RMA repositories' getList() caused by untyped SearchResults. (Yuriy Boyko, Oreste Luppi)
  • mage-os/module-automatic-translation 2.1.2 → 2.2.1 — paginates per 100 to avoid failures on large catalogs; fixes the cron expression; uses the DeepL v2/languages endpoint for target-language normalization; fixes a PHP 8.5 ErrorException on a new product from a null getById(). (Rik Willems, Davide Lunardon, Ryan Hoerr)
  • aligent/magento2-pci-4-compatibility 1.4.1 → 1.4.2
  • swissup/module-ignition 1.3.0 → 1.3.1`

Upgrade notes

Mage-OS 3.2.0 tracks the same upstream release as 3.1.0 (Magento Open Source 2.4.9). There are no added or removed dependencies and no changes to magento2-base or project-community-edition beyond version bumps, so the upgrade from 3.1.0 is low-friction.

The certified stack is unchanged from 3.1.0 — PHP 8.4, MySQL 8.4, OpenSearch 3, RabbitMQ 4.1, Valkey 8, Varnish 7.7, nginx 1.28 — with one change: Composer 2.10.2 is now the certified version (previously 2.9.8).

Mage-OS 3.1.0 reaches end of life with this release.


Contributors

Thanks to everyone who contributed to this release:

Marcel Martinez (@marcelmtz), Ryan Hoerr (@rhoerr), Allan Fernandes (@ddevallan), Jelle Besseling (@pingiun), Samuele Martini (@SamueleMartini), Davide Lunardon (@dadolun95), Yuriy Boyko (@yuriy-boyko), Rik Willems, and Oreste Luppi.

Don't miss a new mageos-magento2 release

NewReleases is sending notifications on new releases.