diff --git a/pipelines/shared-tasks/scan-image-trivy/task.yml b/pipelines/shared-tasks/scan-image-trivy/task.yml
index 7716072b1..53ef37fe2 100644
--- a/pipelines/shared-tasks/scan-image-trivy/task.yml
+++ b/pipelines/shared-tasks/scan-image-trivy/task.yml
@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2026 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 ---
@@ -12,8 +12,16 @@ inputs:
 outputs:
 params:
   GITHUB_TOKEN:
-  # For format see https://aquasecurity.github.io/trivy/v0.24.2/vulnerability/examples/filter/#by-vulnerability-ids
-  IGNORE_VULNERABILITY_IDS: ""
+  # For format see https://trivy.dev/docs/latest/guide/configuration/filtering/#by-finding-ids
+  IGNORE_VULNERABILITY_IDS: |
+    # CVE-2026-24051 is in go.opentelemetry.io/otel/sdk before v1.40.0. This is an indirect dep that we
+    # get through various k8s modules and through fosite. The CVE description says that it only applies
+    # to MacOS. We do not use opentelemetry in the Pinniped CLI, and our other code never runs on MacOS,
+    # so we should have no exposure to this issue. We can wait for the next version of k8s packages to
+    # update this dependency, if they choose to do so.
+    # See https://ossindex.sonatype.org/vulnerability/CVE-2026-24051?component-type=golang&component-name=go.opentelemetry.io%2Fotel%2Fsdk&utm_source=nancy-client&utm_medium=integration&utm_content=1.2.0
+    CVE-2026-24051 exp:2026-06-04
+
 run:
   path: ash
   args: