OpenTofu v1.11.9 Release - Security Hardening and SSH Fixes

OpenTofu v1.11.9 was released on June 12, 2026, delivering critical security updates for SSH connectivity and state encryption providers. This version patches vulnerabilities that could lead to hangs or high CPU consumption when interacting with compromised servers or specifically crafted encryption keys. As a maintenance release in the v1.11 series, it focuses on stability and security without introducing breaking changes to the core engine or configuration syntax.

The full release notes and downloads are on the GitHub release page.

A primary focus of this release is the resolution of security vulnerabilities affecting the v1.11 series, specifically targeting how the engine handles external connections and encrypted state. Several issues related to SSH usage through the OpenTofu generate command have been addressed in pull request #4145. Previously, specific SSH configurations could cause the process to hang or panic during the generation phase. Furthermore, the logic for checking revoked SignatureKey attributes belonging to a Certificate Authority has been improved. The engine now ensures that both the primary key and the signature key are correctly validated against revocation lists, preventing the use of compromised credentials that were previously ignored by the validation logic.

Another significant security fix involves the OpenBao key provider used for state encryption, addressed in pull request #4177. When wrapping algorithms are employed, a specifically crafted JSON Web Encryption (JWE) on a compromised system could trigger hangs or panics. This release hardens the state encryption logic to ensure that malicious or malformed encryption headers do not destabilize the tofu process. This is particularly important for teams operating in multi tenant environments where state encryption keys might be managed by external providers.

OpenTofu also improved how SSH connection errors are handled to prevent information leakage and resource exhaustion. As noted in pull request #4248, earlier versions could return unescaped input bytes in error messages. This presented a potential risk when interacting with untrusted systems, as malicious servers could inject control characters into the operator console. Additionally, a vulnerability that allowed an attacker controlled server to cause high CPU consumption during a tofu run has been mitigated by improving the timeout and retry logic for remote operations.

Beyond the security advisory items, v1.11.9 includes a fix for a race condition during the tofu login process. Tracking as pull request #4016, this issue occurred when handling closing signals. This was visible both when a user manually interrupted the command via a signal and when the browser failed to establish a successful connection to the authentication provider. The fix ensures that the signal handling routine is thread safe and that the CLI cleans up its local state properly regardless of how the login attempt terminates.

For users of the OpenTofu testing framework, this release prevents a common panic that occurred during module validation. Pull request #4254 addresses a failure when using ephemeral resources during the tofu test command. Ephemeral resources are increasingly common in modern infrastructure patterns for short lived secrets or temporary access tokens. This improvement increases the reliability of the native testing suite when validating complex infrastructure modules that rely on these dynamic resource types.

As this release contains multiple security fixes, operators running any version in the v1.11 series are strongly encouraged to upgrade to v1.11.9. Because this is a patch release, there are no breaking changes to the state file format or the HCL parser. The migration should be a straightforward binary replacement. Teams using the OpenBao encryption provider should verify their key wrapping configurations after the upgrade to ensure that the new validation logic correctly handles their existing JWE headers.

The release is available for download through the following channels:

Operators can verify the installation by running tofu version and ensuring the output matches the new tag.