OpenTofu v1.12.2: State Encryption and SSH Security Fixes

OpenTofu v1.12.2 was released on June 12, 2026, delivering critical security updates for state encryption and remote connection handling. This maintenance release addresses vulnerabilities that could lead to panics or high CPU usage in specific edge cases. It also resolves a persistent issue with the Unix kernel incorrectly identifying deadlocks when multiple processes access the global plugin cache.

The full release notes and downloads are on the GitHub release page.

This release focuses heavily on securing the data layer and the transport layer for OpenTofu operators. One major fix involves the OpenBao key provider when used for state encryption. In the v1.12 series, certain wrapping algorithms could trigger a panic or a hang if the system encountered a specially crafted JWE. This vulnerability, addressed in PR 4177, is particularly relevant for environments using OpenBao to manage secrets and encryption keys for sensitive infrastructure state.

SSH connection security also saw significant improvements. The project fixed an issue where errors returned during an SSH connection attempt could include unescaped input bytes. This posed a risk for log injection or terminal manipulation if an operator connected to a compromised or malicious endpoint. Furthermore, PR 4247 mitigates a denial of service vector where an attacker controlled server could cause the tofu binary to consume excessive CPU cycles during the connection phase. These fixes ensure that the automation pipeline remains resilient even when interacting with untrusted remote systems.

For SREs running high concurrency CI pipelines on Unix, the EDEADLK fix in PR 4166 is a welcome change. When multiple OpenTofu processes attempt to install providers while sharing a global plugin cache, the Unix kernel can sometimes return a deadlock error. This is often a false positive triggered by the way file locks are managed across different processes.

The update ensures that OpenTofu properly handles the EDEADLK signal during the provider installation process. Instead of failing the build, the logic now accounts for this kernel behavior, allowing the installation to proceed once the lock is available. This change reduces flakiness in automated workflows where many parallel jobs might be pulling the same set of providers into a shared filesystem.

Beyond security and kernel level fixes, v1.12.2 addresses several stability issues in the CLI. The tofu login command had a race condition that occurred when a user tried to close the process or when the browser failed to establish a connection. This could leave the terminal in an inconsistent state or cause the process to hang. The fix in PR 4016 ensures that closing signals are captured reliably, allowing for a clean exit even during a failed authentication attempt.

Additionally, the tofu test command received a fix for a panic that occurred when using ephemeral resources. Ephemeral resources are a powerful feature for short lived infrastructure testing, but a bug in how they were tracked during the test lifecycle could crash the runner. PR 4254 resolves this by ensuring the resource state is correctly managed throughout the execution of the test suite. This makes the testing framework more reliable for complex module validations that rely on temporary resources.

As a patch release, v1.12.2 is a drop in replacement for earlier versions in the v1.12 branch. There are no breaking changes to the configuration language or the state format. However, because of the security implications for state encryption and SSH, we recommend that all users upgrade immediately. This is especially true for teams using the global plugin cache on Linux or macOS, as the deadlock fix will significantly improve CI reliability.