diff --git a/go.mod b/go.mod
index 3701988f84e..4bb24bc2037 100644
--- a/go.mod
+++ b/go.mod
@@ -270,7 +270,7 @@ require (
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/imdario/mergo v1.0.2 // indirect
 	github.com/in-toto/attestation v1.2.0 // indirect
-	github.com/in-toto/in-toto-golang v0.10.0 // indirect
+	github.com/in-toto/in-toto-golang v0.11.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20241212093149-d2f9f49435c7 // indirect
diff --git a/go.sum b/go.sum
index 52d974d082b..83f22cf7c71 100644
--- a/go.sum
+++ b/go.sum
@@ -515,8 +515,8 @@ github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/in-toto/attestation v1.2.0 h1:aPRUZ3azbqD7yEBD5fP3TD8Dszf+YHo284SOcpahjQk=
 github.com/in-toto/attestation v1.2.0/go.mod h1:r79G45gOmzPismgObLSL+rZTFxUgZLOQJI6LofTZgXk=
-github.com/in-toto/in-toto-golang v0.10.0 h1:+s2eZQSK3WmWfYV85qXVSBfqgawi/5L02MaqA4o/tpM=
-github.com/in-toto/in-toto-golang v0.10.0/go.mod h1:wjT4RiyFlLWCmLUJjwB8oZcjaq7HA390aMJcD3xXgmg=
+github.com/in-toto/in-toto-golang v0.11.0 h1:nfidMYBFx+E0lnmX5KUnN2Pdm8zdNKal1ayjJuzzRoA=
+github.com/in-toto/in-toto-golang v0.11.0/go.mod h1:u3PjTnwFKjp5a1YCcw8SJg0G+tMeKfVoWsWeFMDCMtw=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go
index 52373aa75f5..a581d00f71f 100644
--- a/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go
+++ b/vendor/github.com/in-toto/in-toto-golang/in_toto/match.go
@@ -22,8 +22,12 @@ var errBadPattern = errors.New("syntax error in pattern")
 //	term:
 //		'*'         matches any sequence of non-/ characters
 //		'?'         matches any single non-/ character
-//		'[' [ '^' ] { character-range } ']'
+//		'[' [ '!' ] { character-range } ']'
 //		            character class (must be non-empty)
+//
+// NOTE: Only '!' is supported for character class negation, not '^'. This is to
+// ensure compatibility with in-toto-python.
+//
 //		c           matches character c (c != '*', '?', '\\', '[')
 //		'\\' c      matches character c
 //
@@ -141,7 +145,7 @@ func matchChunk(chunk, s string) (rest string, ok bool, err error) {
 			chunk = chunk[1:]
 			// possibly negated
 			negated := false
-			if len(chunk) > 0 && chunk[0] == '^' {
+			if len(chunk) > 0 && chunk[0] == '!' {
 				negated = true
 				chunk = chunk[1:]
 			}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 32c6a8b8b1e..4b868c73a52 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1081,7 +1081,7 @@ github.com/imdario/mergo
 # github.com/in-toto/attestation v1.2.0
 ## explicit; go 1.23
 github.com/in-toto/attestation/go/v1
-# github.com/in-toto/in-toto-golang v0.10.0
+# github.com/in-toto/in-toto-golang v0.11.0
 ## explicit; go 1.24.0
 github.com/in-toto/in-toto-golang/in_toto
 github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common