How to Apply and Manage Magento Cloud Patches

What Are Magento Cloud Patches?

Magento Cloud Patches = A Composer package (magento/magento-cloud-patches) that delivers required fixes for Adobe Commerce Cloud environments. Covers security vulnerabilities, bug fixes, and cloud infrastructure improvements.

Perfect for: Adobe Commerce Cloud merchants, DevOps teams managing cloud deployments, agencies maintaining multiple cloud stores

Not ideal for: On-premise Magento installations (use Quality Patches Tool instead), Magento Open Source without cloud infrastructure

Magento Cloud Patches is a specific Composer package, not a generic label. The current version is v1.1.13 (March 5, 2026), which added PHP 8.5 support.

The ece-tools package installs and updates Cloud Patches as a dependency. When you deploy changes to your remote environment, ece-tools applies all required patches from this package before your code goes live.

Most Cloud Patches require zero manual action. The deployment pipeline handles everything.

Three Categories of Magento Cloud Patches

Adobe Commerce Cloud uses three distinct patching mechanisms. Each serves a different purpose and applies through a different method.

1. Cloud Patches for Commerce (Required)

These patches ship with the magento/magento-cloud-patches package. They fix critical issues that affect how Adobe Commerce integrates with cloud infrastructure.

What they cover:

• Security vulnerabilities (CVE patches)
• Cloud platform compatibility
• Performance fixes for cloud environments
• Payment processing patches (Braintree, PayPal)
• Redis and cache optimization

How they apply: The ece-tools package handles this during deployment. No manual steps required.

2. Quality Patches (Optional)

The Quality Patches Tool (magento/quality-patches) delivers individual, low-impact fixes developed by Adobe and the community. You choose which patches to apply based on your store's needs.

These patches cover specific module bugs, admin panel issues, frontend rendering problems, and API fixes. Learn more in our Magento security patches guide.

3. Custom Patches (Manual)

For issues not covered by Adobe patches, create custom patch files and place them in the /m2-hotfixes directory at your project root.

Custom patches cover vendor-specific fixes, extension compatibility issues, business logic patches, and temporary workarounds before official fixes arrive. The deployment process picks up .patch files from /m2-hotfixes in alphabetical order.

How to Prepare for Patch Installation

Complete these steps before applying any patch to your Adobe Commerce Cloud environment.

Back Up Your Store

Create a full backup of your database and files. Branch from your Integration environment before making changes:

git checkout -b patch-update-2026-03

This keeps your work-in-progress safe if the patch introduces issues.

Check Version Compatibility

Verify your Magento version matches the patch requirements:

bin/magento --version

Cross-reference the output with Adobe's release notes to confirm compatibility.

Enable Maintenance Mode

Put your store in maintenance mode before applying patches:

php bin/magento maintenance:enable

Test in Staging First

Apply patches to your staging environment before production. Adobe Commerce Cloud provides staging environments for this exact purpose. Follow Magento security best practices when testing patches that address vulnerabilities.

How to Apply Magento Cloud Patches

Method 1: Deployment (Recommended)

Cloud Patches apply during every deployment through ece-tools. Update the package to get the latest patches:

composer update magento/ece-tools

Push your changes:

git add composer.json composer.lock
git commit -m "Update ece-tools for latest cloud patches"
git push origin patch-update-2026-03

The deployment process applies required patches, optional quality patches, and custom patches in that order.

Method 2: Quality Patches via .magento.env.yaml

Add specific patch IDs to your environment configuration:

stage:
  build:
    QUALITY_PATCHES:
      - MDVA-12345
      - MDVA-67890

Then apply from your project root:

php ./vendor/bin/ece-patches apply

Method 3: Quality Patches via CLI

For on-demand patch management, use the Quality Patches Tool. Update the package first to get the latest patch definitions:

composer update magento/quality-patches

Check available patches:

./vendor/bin/magento-patches status

Apply a specific patch:

./vendor/bin/magento-patches apply MDVA-12345

Revert a patch:

./vendor/bin/magento-patches revert MDVA-12345

Revert all patches:

./vendor/bin/magento-patches revert --all

After every patch operation, clear the cache:

php ./bin/magento cache:clean

Method 4: Custom Patches via /m2-hotfixes

Create patch files using git diff:

git diff > ./m2-hotfixes/custom-fix-001.patch

Commit and push. The deployment process applies all .patch files from this directory in alphabetical order.

Naming convention matters. Use numbered prefixes to control application order:

• 001-payment-fix.patch
• 002-catalog-update.patch

Patch Application Order

During deployment, ece-tools applies patches in a strict sequence:

1. Required patches from Cloud Patches for Commerce
2. Optional patches from Quality Patches Tool (configured in .magento.env.yaml)
3. Custom patches from /m2-hotfixes (alphabetical order)

This order ensures required infrastructure fixes land first, followed by optional quality improvements, then your custom modifications.

Current Magento Version and Patch Support (2026)

Adobe maintains security patches for multiple release lines. Here is the current support matrix:

Source: Adobe Commerce Released Versions

Key changes in 2026:

• Adobe switched to monthly isolated security fixes starting January 2026
• 2.4.9-beta1 released March 10, 2026 (general availability expected Q2 2026)
• Cloud Patches package v1.1.13 added PHP 8.5 support (March 5, 2026)

Stores running versions 2.4.4 or 2.4.5 qualify for a one-year extended support at no additional cost. Review our cloud hosting security guide for infrastructure-level protections that complement patching.

Best Practices for Patch Management

Validate in Staging Before Production

Test every patch in a staging environment first. Deploy patches there and verify:

• Store functions work as expected
• No conflicts with custom extensions
• Checkout and payment processing remain intact
• Admin panel operates without errors

Monitor the Patch Schedule

With monthly security releases in 2026, establish a patching cadence. Subscribe to Adobe's security mailing list for release notifications.

Review Patch Changes

After applying patches, examine changes to files, configurations, and database entries. Run ece-patches status to see which patches are active.

Keep Composer Packages Updated

Run composer update magento/quality-patches to access new patches. The Quality Patches Tool receives frequent updates with additional fixes.

Document Every Patch

Track which patches you apply, when, and why. This record proves invaluable during audits and when troubleshooting issues after updates.

How Managed Hosting Simplifies Patching

Patch management on Adobe Commerce Cloud requires monitoring release schedules, testing in staging, and coordinating deployments. For teams without dedicated DevOps resources, this becomes a recurring operational burden.

With managed Magento hosting, your hosting provider handles server-level patches, security updates, and infrastructure maintenance. Your team focuses on store operations instead of patch management.

Key benefits of managed patching:

• Server-level security patches applied without your intervention
• Infrastructure updates coordinated with your deployment schedule
• Expert monitoring for new vulnerability disclosures
• Reduced risk of patch conflicts causing downtime

Pros and Cons of Magento Cloud Patches

FAQ

What is the difference between Cloud Patches and Quality Patches?

Cloud Patches are required fixes that apply during every deployment through the ece-tools package. They address critical cloud infrastructure issues. Quality Patches are optional, individual fixes you choose to apply through the Quality Patches Tool or .magento.env.yaml configuration.

How often does Adobe release security patches for Magento?

Since January 2026, Adobe releases monthly isolated security fixes. Before 2026, security patches followed a quarterly schedule. Adobe recommends applying each security patch as soon as it becomes available.

Can I revert a Magento cloud patch if it causes issues?

Quality Patches can be reverted using ./vendor/bin/magento-patches revert PATCH-ID or --all to revert everything. Cloud Patches that ship with ece-tools cannot be reverted one by one because they are required for cloud infrastructure compatibility.

Do I need to apply patches on Adobe Commerce Cloud?

Required Cloud Patches apply during deployment through ece-tools with no manual action needed. Quality Patches and custom patches require configuration in .magento.env.yaml or placement in /m2-hotfixes.

What happens if I skip a security patch?

Skipping security patches leaves known vulnerabilities open in your store. Adobe documents specific CVEs addressed by each patch. Unpatched stores risk data breaches, unauthorized access, and potential compliance violations.

What is the latest version of the magento-cloud-patches package?

As of March 2026, the latest version is v1.1.13, released March 5, 2026. This version added PHP 8.5 support and updated test coverage for PHP 8.1 and 8.2.

How do I check which patches are applied to my store?

Run ./vendor/bin/ece-patches status for Cloud Patches or ./vendor/bin/magento-patches status for Quality Patches. Both commands display patch IDs, titles, and application status.

Is Adobe Commerce 2.4.4 still receiving security patches?

Yes, but extended support for version 2.4.4 ends April 2026. The latest available patch is 2.4.4-p17 (March 10, 2026). Adobe recommends upgrading to 2.4.8 for long-term support through April 2028.

Can I apply Magento cloud patches to on-premise installations?

Cloud Patches are specific to Adobe Commerce Cloud infrastructure. On-premise installations should use the Quality Patches Tool (magento/quality-patches) for individual fixes and follow the standard Composer update workflow.

What is the /m2-hotfixes directory used for?

The /m2-hotfixes directory at your project root holds custom patch files. During deployment, ece-tools applies all .patch files from this directory in alphabetical order, after required and optional patches. Use numbered prefixes to control the application sequence.

Summary

Magento cloud patches protect your store through three mechanisms: required Cloud Patches that apply during deployment, optional Quality Patches you select for specific fixes, and custom patches in /m2-hotfixes for unique issues.

Adobe's shift to monthly security releases in 2026 means more frequent patching cycles. Keep your ece-tools and quality-patches packages updated to access the latest fixes. Test every patch in staging before production deployment.

For stores that need reliable patching without the operational overhead, explore managed hosting to handle server-level security and infrastructure updates while your team focuses on growing your business.