diff --git a/pkg/server/server.go b/pkg/server/server.go
index 548e4b048e8..f61f1199f24 100644
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -54,6 +54,15 @@ func NewTLSConfig(logger log.Logger, certFile, keyFile, clientCAFile, minVersion
 	}
 
 	tlsCfg.MinVersion = version
+	// Mitigate CVE-2023-44487 by disabling HTTP2 and forcing HTTP/1.1 until
+	// the Go standard library and golang.org/x/net are fully fixed.
+	// Right now, it is possible for authenticated and unauthenticated users to
+	// hold open HTTP2 connections and consume huge amounts of memory.
+	// See:
+	// * https://github.com/kubernetes/kubernetes/pull/121120
+	// * https://github.com/kubernetes/kubernetes/issues/121197
+	// * https://github.com/golang/go/issues/63417#issuecomment-1758858612
+	tlsCfg.NextProtos = []string{"http/1.1"}
 
 	cipherSuiteIDs, err := flag.TLSCipherSuites(cipherSuites)
 	if err != nil {