Released: 2026-07-14
Upstream: Magento Open Source 2.4.9
Mage-OS 3.2.0 is a security release. It applies Adobe's isolated security patch 249-2026-07-001 and fixes a lower-severity issue in the interactive installer, alongside a small set of bug fixes and add-on updates.
All users running Mage-OS 3.x should upgrade.
composer require mage-os/product-community-edition 3.2.0 --no-update
composer updateSecurity
Adobe isolated security patch 249-2026-07-001
Adobe distributes isolated patches out-of-band, separately from the quarterly release train — the content is not published to any Magento git tag or Composer package. Mage-OS 3.2.0 ports the patch to source, so you get it by upgrading rather than by applying a patch file by hand.
The patch addresses several distinct issues:
- Guest cart takeover. The guest cart endpoints did not verify that a masked cart ID actually resolved to a guest cart, allowing a masked ID to be used to reach a logged-in customer's cart. All guest-facing entry points — cart, items, coupons, billing and shipping addresses, payment and shipping methods, totals, and gift messages — now validate cart ownership before acting. Quote address validation is also promoted from REST-only to all entry points, including GraphQL.
- Stored cross-site scripting via inline translation. Translated content is now stripped of
script,iframe,object,form,styleand similar tags, along withon*event handlers, and external links are filtered out. - Template-injection sanitizer bypass. The UI component data sanitizer could be evaded by embedding a newline inside a
${...}payload. The sanitizer now matches across newlines. - Template injection via product data. Product gallery and product-view-counter data injected into JSON is no longer treated as an interpolatable template.
- Disabled product disclosure via GraphQL. Disabled products could be surfaced through the CatalogUrlRewrite GraphQL URL resolver.
- Customer address media hardening. The
customer_addressdirectory is removed from the allowed media resources, additional dangerous file extensions (hta,mhtml,mht,htc,xht,shtm,php8) are blocked, andnginx.conf.samplegains adeny allrule for/media/customer_address/.
Note on
nginx.conf.sample: if you maintain your own nginx configuration rather than using the shipped sample, add the/media/customer_address/deny rule yourself — upgrading will not change your live config.
Adobe's patch also ships a vendor/bin/patch-status tool, which reports installed-patch state to Adobe's registry using your repo.magento.com credentials. This tool is deliberately not included in Mage-OS. It has no source-tree equivalent, Mage-OS users have no repo.magento.com credentials, and none of the security fixes depend on it.
Interactive installer wrote a world-readable env.php backup (GHSA-rcp4-m32j-8fhj)
When the interactive installer was re-run over an existing installation, it backed up app/etc/env.php to a world-readable file without a .php extension, potentially exposing service credentials. The backup is now written with owner-only (0600) permissions and keeps a .php extension, so it cannot be served as raw plaintext.
This affects only the interactive installer's resume path, not bin/magento setup:install, and exposure additionally requires app/etc to sit inside the web root (the legacy root-as-docroot layout).
Severity: low (CWE-276). Reported by Volker Dusch (@edorian) of the PHP Ecosystem Security Team at The PHP Foundation, and fixed by @marcelmtz.
Fixes
- Multi-store URL collision. The URL cache key now includes the scope ID, preventing URLs from colliding across stores. (#271 — Allan Fernandes)
GLOB_BRACEon non-GNU systems. Fixes glob handling on systems whose libc does not supportGLOB_BRACE(Alpine/musl). (Ryan Hoerr)- Installer Redis cache backend. The installer now writes the
redisbackend type rather thanCm_Cache_Backend_Redis. (#281 — Marcel Martinez) - Integration tests support a Unix-socket
db-host. (#285 — Jelle Besseling)
Bundled add-on updates
mage-os/module-rma2.3.2 → 2.4.0 — adds anrma_commit_afterevent and refines RMA email dispatch; guest-form RMAs are now linked to the customer when the order has one; RMA lookup labels are localized in the resolver and emails; fixes aTypeErrorin RMA repositories'getList()caused by untyped SearchResults. (Yuriy Boyko, Oreste Luppi)mage-os/module-automatic-translation2.1.2 → 2.2.1 — paginates per 100 to avoid failures on large catalogs; fixes the cron expression; uses the DeepLv2/languagesendpoint for target-language normalization; fixes a PHP 8.5ErrorExceptionon a new product from a nullgetById(). (Rik Willems, Davide Lunardon, Ryan Hoerr)aligent/magento2-pci-4-compatibility1.4.1 → 1.4.2swissup/module-ignition1.3.0 → 1.3.1`
Upgrade notes
Mage-OS 3.2.0 tracks the same upstream release as 3.1.0 (Magento Open Source 2.4.9). There are no added or removed dependencies and no changes to magento2-base or project-community-edition beyond version bumps, so the upgrade from 3.1.0 is low-friction.
The certified stack is unchanged from 3.1.0 — PHP 8.4, MySQL 8.4, OpenSearch 3, RabbitMQ 4.1, Valkey 8, Varnish 7.7, nginx 1.28 — with one change: Composer 2.10.2 is now the certified version (previously 2.9.8).
Mage-OS 3.1.0 reaches end of life with this release.
Contributors
Thanks to everyone who contributed to this release:
Marcel Martinez (@marcelmtz), Ryan Hoerr (@rhoerr), Allan Fernandes (@ddevallan), Jelle Besseling (@pingiun), Samuele Martini (@SamueleMartini), Davide Lunardon (@dadolun95), Yuriy Boyko (@yuriy-boyko), Rik Willems, and Oreste Luppi.