opentofu

v1.11.9 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 19h Infrastructure as Code

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 16h

OpenTofu v1.11.9 resolves SSH hangs/panics, adds CA revocation checks for SignatureKey, hardens OpenBao JWE handling, and sanitizes SSH error bytes.

Why it matters: Addresses high‑severity (90) security issues affecting SSH connections and certificate verification; mitigates CPU abuse in remote execution. Severity: critical.

Summary

AI summary

Security fixes for SSH hangs, revoked SignatureKey checks, OpenBao key provider panics, and unescaped SSH error bytes.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Fixes SSH hangs and panics in OpenTofu connections. Fixes SSH hangs and panics in OpenTofu connections. Source: llm_adapter@2026-06-12 Confidence: high	—
Security	Critical	Checks revocation for both 'key' and 'key.SignatureKey' in CA verification. Checks revocation for both 'key' and 'key.SignatureKey' in CA verification. Source: llm_adapter@2026-06-12 Confidence: high	—
Security	Critical	Prevents panics or hangs when using OpenBao key provider with wrapping JWE algorithms on compromised systems. Prevents panics or hangs when using OpenBao key provider with wrapping JWE algorithms on compromised systems. Source: llm_adapter@2026-06-12 Confidence: high	—
Security	High	Sanitizes error bytes returned from SSH connection attempts to avoid unescaped input. Sanitizes error bytes returned from SSH connection attempts to avoid unescaped input. Source: llm_adapter@2026-06-12 Confidence: high	—
Security	High	Mitigates high CPU consumption when running `tofu` against attacker‑controlled servers. Mitigates high CPU consumption when running `tofu` against attacker‑controlled servers. Source: llm_adapter@2026-06-12 Confidence: high	—
Bugfix	Medium	Fixes race condition during `tofu login` when handling closing signals. Fixes race condition during `tofu login` when handling closing signals. Source: llm_adapter@2026-06-12 Confidence: high	—
Bugfix	Medium	Prevents panic when using ephemeral resources during `tofu test`. Prevents panic when using ephemeral resources during `tofu test`. Source: llm_adapter@2026-06-12 Confidence: high	—

Full changelog

1.11.9

SECURITY ADVISORIES:

Previous releases in the v1.11 series could be affected by several vulnerabilities:
- ssh usage through OpenTofu generate hangs or panics.
- Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.
This is fixed now by (#4145)
If for state encryption, OpenBao key provider is used with wrapping algorithms, it could generate panics or hangs on compromised systems where the JWE is specifically crafted. (#4177)
Previous releases in the v1.11 series could be affected by several vulnerabilities:
- When using SSH connections through OpenTofu, the errors that were returned from attempting a connection could include unescaped input bytes.
- If using an attacker-controlled server to run tofu against, it might end up in high CPU consumption.
These are now fixed by (#4248)

BUG FIXES:

Fix race condition while handling closing signals during tofu login, both when the signal is sent by the user and when the browser fails to successfully connect. (4016)
Prevent panic when using ephemeral resources during tofu test`. (#4254)

Full Changelog: https://github.com/opentofu/opentofu/compare/v1.11.8...v1.11.9

Security Fixes

SSH usage through OpenTofu no longer causes hangs or panics (unescaped error bytes fixed).
Revoked 'SignatureKey' belonging to a CA is now correctly checked for revocation (both 'key' and 'key.SignatureKey').
OpenBao key provider with wrapping algorithms no longer generates panics or hangs on compromised systems with crafted JWE.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track opentofu

Get notified when new releases ship.

About opentofu

OpenTofu lets you declaratively manage your cloud infrastructure.

All releases →

Related context

Related tools

Earlier breaking changes

v1.12.0 Removal of OPENTOFU_USER_AGENT environment variable affects custom User-Agent header behavior.