diff --git a/Dockerfile b/Dockerfile
index 87c1220e4..43fbb508f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM --platform=$BUILDPLATFORM golang:1.26.3@sha256:633d23bf362cb40dd72b4f277288a8929697d77537f9c801b81aeced19b5bdf3 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26.3@sha256:cc9a5d7a008cfe2cbc7ffc752b0d6636ad30fc16e4a648d2e4aac00fd8b25ca3 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 ARG SOURCE_DATE_EPOCH=0
@@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot@sha256:e3f945647ffb95b5839c07038d64f9811adf17308b9121d8a2b87b6a22a80a39
+FROM gcr.io/distroless/static:nonroot@sha256:963fa6c544fe5ce420f1f54fb88b6fb01479f054c8056d0f74cc2c6000df5240
 WORKDIR /
 COPY --from=builder /workspace/manager .
 USER 65532:65532
diff --git a/Dockerfile.backup b/Dockerfile.backup
index f94e5bba7..957fc716c 100644
--- a/Dockerfile.backup
+++ b/Dockerfile.backup
@@ -8,7 +8,7 @@
 # Example build (from repo root):
 #   docker build -f Dockerfile.backup -t openbao-backup:dev .
 
-FROM --platform=$BUILDPLATFORM golang:1.26.3@sha256:633d23bf362cb40dd72b4f277288a8929697d77537f9c801b81aeced19b5bdf3 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26.3@sha256:cc9a5d7a008cfe2cbc7ffc752b0d6636ad30fc16e4a648d2e4aac00fd8b25ca3 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 ARG SOURCE_DATE_EPOCH=0
@@ -27,7 +27,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \
   go build -a -mod=vendor -trimpath -buildvcs=false -ldflags="-buildid=" -o bao-backup ./cmd/bao-backup && \
   touch -h -d "@${SOURCE_DATE_EPOCH}" bao-backup
 
-FROM gcr.io/distroless/static:nonroot@sha256:e3f945647ffb95b5839c07038d64f9811adf17308b9121d8a2b87b6a22a80a39
+FROM gcr.io/distroless/static:nonroot@sha256:963fa6c544fe5ce420f1f54fb88b6fb01479f054c8056d0f74cc2c6000df5240
 
 # The backup executor binary is designed to run as a non-root user. We align the
 # container user and group IDs with the IDs used by the operator-managed
diff --git a/Dockerfile.init b/Dockerfile.init
index 09fb953c8..4aae7239d 100644
--- a/Dockerfile.init
+++ b/Dockerfile.init
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.26.3@sha256:633d23bf362cb40dd72b4f277288a8929697d77537f9c801b81aeced19b5bdf3 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26.3@sha256:cc9a5d7a008cfe2cbc7ffc752b0d6636ad30fc16e4a648d2e4aac00fd8b25ca3 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 ARG SOURCE_DATE_EPOCH=0
@@ -28,7 +28,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \
   go build -a -mod=vendor -trimpath -buildvcs=false -ldflags="-buildid=" -o bao-probe ./cmd/bao-probe && \
   touch -h -d "@${SOURCE_DATE_EPOCH}" bao-probe
 
-FROM gcr.io/distroless/static:nonroot@sha256:e3f945647ffb95b5839c07038d64f9811adf17308b9121d8a2b87b6a22a80a39
+FROM gcr.io/distroless/static:nonroot@sha256:963fa6c544fe5ce420f1f54fb88b6fb01479f054c8056d0f74cc2c6000df5240
 
 # The config-init binary is designed to run as a non-root user. We align the
 # container user and group IDs with the IDs used by the operator-managed
diff --git a/Dockerfile.upgrade b/Dockerfile.upgrade
index a0d55d853..90731fac4 100644
--- a/Dockerfile.upgrade
+++ b/Dockerfile.upgrade
@@ -7,7 +7,7 @@
 # Example build (from repo root):
 #   docker build -f Dockerfile.upgrade -t openbao-upgrade:dev .
 
-FROM --platform=$BUILDPLATFORM golang:1.26.3@sha256:633d23bf362cb40dd72b4f277288a8929697d77537f9c801b81aeced19b5bdf3 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.26.3@sha256:cc9a5d7a008cfe2cbc7ffc752b0d6636ad30fc16e4a648d2e4aac00fd8b25ca3 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 ARG SOURCE_DATE_EPOCH=0
@@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \
   go build -a -mod=vendor -trimpath -buildvcs=false -ldflags="-buildid=" -o bao-upgrade-executor ./cmd/bao-upgrade && \
   touch -h -d "@${SOURCE_DATE_EPOCH}" bao-upgrade-executor
 
-FROM gcr.io/distroless/static:nonroot@sha256:e3f945647ffb95b5839c07038d64f9811adf17308b9121d8a2b87b6a22a80a39
+FROM gcr.io/distroless/static:nonroot@sha256:963fa6c544fe5ce420f1f54fb88b6fb01479f054c8056d0f74cc2c6000df5240
 
 USER 1000:1000
 WORKDIR /