OpenTofu 1.12.1 Release: Security Patch and v1.12.0 Regression Fixes
OpenTofu v1.12.1 shipped on May 27, 2026 as a patch release for the 1.12 line. The headline is a security advisory covering SSH handling in tofu generate and a CA SignatureKey revocation gap. The release also clears two regressions introduced in v1.12.0 and fixes the Azure key provider configuration.
The full release notes and downloads are on the GitHub release page.
Security advisories
Two issues in the v1.12 series get patched in this release. Both are folded into a single fix in PR #4145.
- SSH usage through OpenTofu
generatecould hang or panic. Operators usingtofu generateagainst SSH backed sources were exposed to either a stuck process or a runtime panic depending on the path. The patch closes that. - Previously, a revoked
SignatureKeybelonging to a CA was not correctly checked for revocation. After the fix, bothkeyandkey.SignatureKeyare checked against@revokedstate. If you rely on key revocation for your provider signature trust, this is the one that matters.
If your pipelines pin to v1.12.0, plan the upgrade. The advisory text on the release explicitly flags previous v1.12 builds as affected.
Regressions from v1.12.0 cleared
Two bugs that landed with v1.12.0 are resolved here.
- Excessive memory usage by providers, fixed in PR #4126. If you noticed
tofu planandtofu applyeating much more RAM since the 1.12.0 jump, this is the cause. Worth a recheck on long running CI runners after the upgrade. replace_triggered_bywas being validated incorrectly, fixed in PR #4133. The lifecycle block rejected or wrongly accepted expressions that should have passed validation. If your modules usereplace_triggered_byto wire replacement triggers across resources, retest after upgrading.
Neither bug is exotic. Both are exactly the kind of papercut you only notice once you upgrade and your plan output looks strange.
Azure key provider now reads its variables properly
A smaller but specific fix lands for the Azure key provider in issue #4091.
Before this release, the Azure key provider accepted tenant_id, subscription_id, environment, and metadata_host only through environment variables. The corresponding block level variables were ignored, which forced users into shell exports or wrapper scripts. The fix lets you set them directly in the provider configuration. If you maintain a multi tenant setup or rotate environments per workspace, drop the env var workaround and put the values where they belong.
Upgrade notes
This is a patch release with no breaking changes in the notes. Behavior changes are limited to the items above.
- Operators on v1.12.0 should upgrade because of the security advisory.
- After upgrade, watch provider memory usage to confirm PR #4126 took effect for your workload.
- Anyone with
replace_triggered_byin module code should re runtofu validateandtofu planto confirm no false positives or false negatives in the lifecycle wiring. - Azure key provider users can now move
tenant_id,subscription_id,environment, andmetadata_hostout of environment variables and into the provider block.
The full changelog for the 1.12 line lives at https://github.com/opentofu/opentofu/blob/v1.12/CHANGELOG.md if you want the full picture across the 1.12.x patches.
Where to get it
- Release page: https://github.com/opentofu/opentofu/releases/tag/v1.12.1
- Repository: https://github.com/opentofu/opentofu
- Tag:
v1.12.1