diff --git a/.changelog/579.txt b/.changelog/579.txt
new file mode 100644
index 00000000..071c9798
--- /dev/null
+++ b/.changelog/579.txt
@@ -0,0 +1,3 @@
+```release-note:security
+Upgrade envoy version to 1.27.7 to address [CVE-2024-39305](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39305)
+```
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index a0acfd77..d224a552 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,7 +7,7 @@
 # envoy-binary pulls in the latest Envoy binary, as Envoy don't publish
 # prebuilt binaries in any other form.
 ARG GOLANG_VERSION
-FROM envoyproxy/envoy-distroless:v1.27.6 as envoy-binary
+FROM envoyproxy/envoy-distroless:v1.27.7 as envoy-binary
 
 # Modify the envoy binary to be able to bind to privileged ports (< 1024).
 FROM debian:bullseye-slim AS setcap-envoy-binary