diff --git a/.changelog/3312.txt b/.changelog/3312.txt
new file mode 100644
index 0000000000..f63948096e
--- /dev/null
+++ b/.changelog/3312.txt
@@ -0,0 +1,7 @@
+```release-note:security
+Upgrade to use Go 1.20.12. This resolves CVEs
+[CVE-2023-45283](https://nvd.nist.gov/vuln/detail/CVE-2023-45283): (`path/filepath`) recognize \??\ as a Root Local Device path prefix (Windows)
+[CVE-2023-45284](https://nvd.nist.gov/vuln/detail/CVE-2023-45285): recognize device names with trailing spaces and superscripts (Windows)
+[CVE-2023-39326](https://nvd.nist.gov/vuln/detail/CVE-2023-39326): (`net/http`) limit chunked data overhead
+[CVE-2023-45285](https://nvd.nist.gov/vuln/detail/CVE-2023-45285): (`cmd/go`) go get may unexpectedly fallback to insecure git 
+```
\ No newline at end of file
diff --git a/.go-version b/.go-version
index acdfc7930c..3b9e4a0c18 100644
--- a/.go-version
+++ b/.go-version
@@ -1 +1 @@
-1.20.10
+1.20.12
diff --git a/control-plane/Dockerfile b/control-plane/Dockerfile
index c09f5ecf80..42d8e08faf 100644
--- a/control-plane/Dockerfile
+++ b/control-plane/Dockerfile
@@ -16,7 +16,7 @@
 
 # go-discover builds the discover binary (which we don't currently publish
 # either).
-FROM golang:1.19.2-alpine as go-discover
+FROM golang:1.20.12-alpine as go-discover
 RUN CGO_ENABLED=0 go install github.com/hashicorp/go-discover/cmd/discover@214571b6a5309addf3db7775f4ee8cf4d264fd5f
 
 # dev copies the binary from a local build