diff --git a/.trivyignore b/.trivyignore
index 58488007a8b..2b84b7d1f80 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -30,4 +30,14 @@ CVE-2022-41721
 # This CVE has not yet been patched in the kubectl version we are using, however it should not
 # affect us as kubernetes does not use the affected code path (see description in
 # https://github.com/kubernetes/kubernetes/pull/118036).
-CVE-2023-2253
\ No newline at end of file
+CVE-2023-2253
+
+# These CVEs only impacts install of Gloo-Edge from Glooctl CLI.
+# It only leads to a panic if there is a misconfigured / malicious helm plugin installed
+# and can be easily resolved by removing the misconfigured / malicious plugin
+# The helm bump will require bumping the k8s dependencies by +2 minor versions that can cause issues.
+# https://github.com/advisories/GHSA-r53h-jv2g-vpx6
+# https://github.com/solo-io/gloo/issues/9186
+# https://github.com/solo-io/gloo/issues/9187
+# https://github.com/solo-io/gloo/issues/9189
+CVE-2024-26147
\ No newline at end of file
diff --git a/changelog/v1.14.30/cve-kubctl-update.yaml b/changelog/v1.14.30/cve-kubctl-update.yaml
new file mode 100644
index 00000000000..86b5f24ee06
--- /dev/null
+++ b/changelog/v1.14.30/cve-kubctl-update.yaml
@@ -0,0 +1,13 @@
+changelog:
+- type: DEPENDENCY_BUMP
+  dependencyOwner: bitnami
+  dependencyRepo: kubectl
+  dependencyTag: 1.27.13
+  issueLink: https://github.com/solo-io/gloo/issues/9442
+  description: Upgrade image used to build kubectl to pick up CVE fixes.
+- type: DEPENDENCY_BUMP
+  dependencyOwner: solo-io
+  dependencyRepo: cloud-builders
+  dependencyTag: 0.7.6
+  issueLink: https://github.com/solo-io/gloo/issues/9442
+  description: Update clouderbuilder image to use updated version of Go to pick up CVE fixes.
\ No newline at end of file
diff --git a/ci/cloudbuild/publish-artifacts.yaml b/ci/cloudbuild/publish-artifacts.yaml
index 82f611795a1..4428599c840 100644
--- a/ci/cloudbuild/publish-artifacts.yaml
+++ b/ci/cloudbuild/publish-artifacts.yaml
@@ -1,6 +1,6 @@
 steps:
 
-- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.7.1'
+- name: 'gcr.io/$PROJECT_ID/prepare-go-workspace:0.7.6'
   id: 'prepare-workspace'
   args:
   - '--repo-name'
@@ -44,7 +44,7 @@ steps:
   - 'us-central1-a'
 
 # Run make targets to push docker images to quay.io
-- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.7.1'
+- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.7.6'
   id: 'docker-push-extended'
   args:
   - 'docker-push-extended'
@@ -65,7 +65,7 @@ steps:
   waitFor:
   - 'docker-push-extended'
 
-- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.7.1'
+- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.7.6'
   id: 'release-chart'
   dir: *dir
   args:
@@ -82,7 +82,7 @@ steps:
   - 'gcr-auth'
 
 # Run make targets to retag and push docker images to GCR
-- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.7.1'
+- name: 'gcr.io/$PROJECT_ID/go-mod-make:0.7.6'
   id: 'docker-push-extended-gcr'
   dir: *dir
   args:
diff --git a/jobs/kubectl/Dockerfile b/jobs/kubectl/Dockerfile
index 7b183a8ecae..a9daaa2f21c 100644
--- a/jobs/kubectl/Dockerfile
+++ b/jobs/kubectl/Dockerfile
@@ -1,4 +1,4 @@
-FROM bitnami/kubectl:1.25.15 as kubectl
+FROM bitnami/kubectl:1.27.13 as kubectl
 
 FROM alpine:3.17.6