diff --git a/go.mod b/go.mod
index 7bf6a6050fe..00e52d18dd5 100644
--- a/go.mod
+++ b/go.mod
@@ -40,7 +40,7 @@ require (
 	code.gitea.io/sdk/gitea v0.21.0
 	github.com/go-jose/go-jose/v3 v3.0.4
 	github.com/goccy/kpoward v0.1.0
-	github.com/google/cel-go v0.26.0
+	github.com/google/cel-go v0.26.1
 	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240108195214-a0658aa1d0cc
 	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5
 	github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5
diff --git a/go.sum b/go.sum
index 6c298107efb..3747aafb22c 100644
--- a/go.sum
+++ b/go.sum
@@ -564,8 +564,8 @@ github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI=
-github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
+github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ=
+github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
 github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
 github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
diff --git a/vendor/github.com/google/cel-go/cel/env.go b/vendor/github.com/google/cel-go/cel/env.go
index bb3014464e5..58819e872a2 100644
--- a/vendor/github.com/google/cel-go/cel/env.go
+++ b/vendor/github.com/google/cel-go/cel/env.go
@@ -27,6 +27,7 @@ import (
 	"github.com/google/cel-go/common/containers"
 	"github.com/google/cel-go/common/decls"
 	"github.com/google/cel-go/common/env"
+	"github.com/google/cel-go/common/functions"
 	"github.com/google/cel-go/common/stdlib"
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
@@ -142,6 +143,9 @@ type Env struct {
 	validators      []ASTValidator
 	costOptions     []checker.CostOption
 
+	funcBindOnce     sync.Once
+	functionBindings []*functions.Overload
+
 	// Internal parser representation
 	prsr     *parser.Parser
 	prsrOpts []parser.Option
@@ -320,18 +324,19 @@ func NewCustomEnv(opts ...EnvOption) (*Env, error) {
 		return nil, err
 	}
 	return (&Env{
-		variables:       []*decls.VariableDecl{},
-		functions:       map[string]*decls.FunctionDecl{},
-		macros:          []parser.Macro{},
-		Container:       containers.DefaultContainer,
-		adapter:         registry,
-		provider:        registry,
-		features:        map[int]bool{},
-		appliedFeatures: map[int]bool{},
-		libraries:       map[string]SingletonLibrary{},
-		validators:      []ASTValidator{},
-		progOpts:        []ProgramOption{},
-		costOptions:     []checker.CostOption{},
+		variables:        []*decls.VariableDecl{},
+		functions:        map[string]*decls.FunctionDecl{},
+		functionBindings: []*functions.Overload{},
+		macros:           []parser.Macro{},
+		Container:        containers.DefaultContainer,
+		adapter:          registry,
+		provider:         registry,
+		features:         map[int]bool{},
+		appliedFeatures:  map[int]bool{},
+		libraries:        map[string]SingletonLibrary{},
+		validators:       []ASTValidator{},
+		progOpts:         []ProgramOption{},
+		costOptions:      []checker.CostOption{},
 	}).configure(opts)
 }
 
diff --git a/vendor/github.com/google/cel-go/cel/folding.go b/vendor/github.com/google/cel-go/cel/folding.go
index 40d843ecea3..d1ea6b19dbe 100644
--- a/vendor/github.com/google/cel-go/cel/folding.go
+++ b/vendor/github.com/google/cel-go/cel/folding.go
@@ -38,7 +38,7 @@ func MaxConstantFoldIterations(limit int) ConstantFoldingOption {
 	}
 }
 
-// Adds an Activation which provides known values for the folding evaluator
+// FoldKnownValues adds an Activation which provides known values for the folding evaluator
 //
 // Any values the activation provides will be used by the constant folder and turned into
 // literals in the AST.
diff --git a/vendor/github.com/google/cel-go/cel/program.go b/vendor/github.com/google/cel-go/cel/program.go
index 24f41a4a77e..ec3869bdb4a 100644
--- a/vendor/github.com/google/cel-go/cel/program.go
+++ b/vendor/github.com/google/cel-go/cel/program.go
@@ -20,6 +20,7 @@ import (
 	"sync"
 
 	"github.com/google/cel-go/common/ast"
+	"github.com/google/cel-go/common/functions"
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
 	"github.com/google/cel-go/interpreter"
@@ -191,16 +192,25 @@ func newProgram(e *Env, a *ast.AST, opts []ProgramOption) (Program, error) {
 		}
 	}
 
-	// Add the function bindings created via Function() options.
-	for _, fn := range e.functions {
-		bindings, err := fn.Bindings()
-		if err != nil {
-			return nil, err
-		}
-		err = disp.Add(bindings...)
-		if err != nil {
-			return nil, err
+	e.funcBindOnce.Do(func() {
+		var bindings []*functions.Overload
+		e.functionBindings = []*functions.Overload{}
+		for _, fn := range e.functions {
+			bindings, err = fn.Bindings()
+			if err != nil {
+				return
+			}
+			e.functionBindings = append(e.functionBindings, bindings...)
 		}
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// Add the function bindings created via Function() options.
+	err = disp.Add(e.functionBindings...)
+	if err != nil {
+		return nil, err
 	}
 
 	// Set the attribute factory after the options have been set.
diff --git a/vendor/github.com/google/cel-go/cel/templates/authoring.tmpl b/vendor/github.com/google/cel-go/cel/templates/authoring.tmpl
index d6b3da5c6c0..d0b0133f151 100644
--- a/vendor/github.com/google/cel-go/cel/templates/authoring.tmpl
+++ b/vendor/github.com/google/cel-go/cel/templates/authoring.tmpl
@@ -1,4 +1,8 @@
-{{define "variable"}}{{.Name}} is a {{.Type}}
+{{define "variable"}}{{.Name}} is a {{.Type}}{{if .Description}}
+
+{{range split .Description}}      {{.}}
+{{end}}
+{{- end -}}
 {{- end -}}
 
 {{define "macro" -}}
diff --git a/vendor/github.com/google/cel-go/cel/validator.go b/vendor/github.com/google/cel-go/cel/validator.go
index 5f06b2dd55f..952f88f41b8 100644
--- a/vendor/github.com/google/cel-go/cel/validator.go
+++ b/vendor/github.com/google/cel-go/cel/validator.go
@@ -45,6 +45,14 @@ var (
 	astValidatorFactories = map[string]ASTValidatorFactory{
 		nestingLimitValidatorName: func(val *env.Validator) (ASTValidator, error) {
 			if limit, found := val.ConfigValue("limit"); found {
+				// In case of protos, config value is of type by google.protobuf.Value, which numeric values are always a double.
+				if val, isDouble := limit.(float64); isDouble {
+					if val != float64(int64(val)) {
+						return nil, fmt.Errorf("invalid validator: %s, limit value is not a whole number: %v", nestingLimitValidatorName, limit)
+					}
+					return ValidateComprehensionNestingLimit(int(val)), nil
+				}
+
 				if val, isInt := limit.(int); isInt {
 					return ValidateComprehensionNestingLimit(val), nil
 				}
diff --git a/vendor/github.com/google/cel-go/common/types/pb/type.go b/vendor/github.com/google/cel-go/common/types/pb/type.go
index bdd474c95af..171494f075a 100644
--- a/vendor/github.com/google/cel-go/common/types/pb/type.go
+++ b/vendor/github.com/google/cel-go/common/types/pb/type.go
@@ -472,7 +472,7 @@ func unwrap(desc description, msg proto.Message) (any, bool, error) {
 		}
 		return v.GetValue(), true, nil
 	}
-	return msg, false, nil
+	return unwrapDynamic(desc, msg.ProtoReflect())
 }
 
 // unwrapDynamic unwraps a reflected protobuf Message value.
diff --git a/vendor/modules.txt b/vendor/modules.txt
index f267b2899cb..130b9208530 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -435,7 +435,7 @@ github.com/golang/groupcache/lru
 ## explicit; go 1.17
 github.com/golang/protobuf/proto
 github.com/golang/protobuf/ptypes/timestamp
-# github.com/google/cel-go v0.26.0
+# github.com/google/cel-go v0.26.1
 ## explicit; go 1.22.0
 github.com/google/cel-go/cel
 github.com/google/cel-go/checker