diff --git a/Makefile b/Makefile
index e840319c9fa..6828193e0c7 100644
--- a/Makefile
+++ b/Makefile
@@ -54,7 +54,7 @@ SOURCES := $(shell find . -name "*.go" | grep -v test.go)
 # for more information, see https://github.com/solo-io/gloo/pull/9633
 # and
 # https://soloio.slab.com/posts/extended-http-methods-design-doc-40j7pjeu
-ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.31.5-patch1
+ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.32.3-patch2
 LDFLAGS := "-X github.com/solo-io/gloo/pkg/version.Version=$(VERSION)"
 GCFLAGS ?=
 
diff --git a/changelog/v1.19.0-beta7/envoy-1.32-bump.yaml b/changelog/v1.19.0-beta7/envoy-1.32-bump.yaml
new file mode 100644
index 00000000000..c3c0d794520
--- /dev/null
+++ b/changelog/v1.19.0-beta7/envoy-1.32-bump.yaml
@@ -0,0 +1,12 @@
+changelog:
+  - type: DEPENDENCY_BUMP
+    dependencyOwner: solo-io
+    dependencyRepo: envoy-gloo
+    dependencyTag: v1.32.3-patch2
+    issueLink: https://github.com/solo-io/solo-projects/issues/7608
+  - type: BREAKING_CHANGE
+    issueLink: https://github.com/solo-io/solo-projects/issues/7608
+    description: >-
+      The default configuration of Envoy will continue to trust internal addresses while in the future it will not trust them by default. If you have tooling such as probes on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers) please explicitly include those addresses or CIDR ranges into [internal_address_config](https://docs.solo.io/gloo-edge/latest/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/hcm/hcm.proto.sk/#internaladdressconfig). You can turn up or test the upcoming internal address defaults by setting runtime guard envoy.reloadable_features.explicit_internal_address_config to true.
+
+      For more information, see: https://github.com/envoyproxy/envoy/pull/36221