diff --git a/repositories.bzl b/repositories.bzl
index 12a8ec7a6f..dd74a48da4 100644
--- a/repositories.bzl
+++ b/repositories.bzl
@@ -101,10 +101,10 @@ def grpc_java_repositories(bzlmod = False):
     if not native.existing_rule("com_github_cncf_xds"):
         http_archive(
             name = "com_github_cncf_xds",
-            strip_prefix = "xds-024c85f92f20cab567a83acc50934c7f9711d124",
-            sha256 = "5f403aa681711500ca8e62387be3e37d971977db6e88616fc21862a406430649",
+            strip_prefix = "xds-2ac532fd44436293585084f8d94c6bdb17835af0",
+            sha256 = "790c4c83b6950bb602fec221f6a529d9f368cdc8852aae7d2592d0d04b015f37",
             urls = [
-                "https://github.com/cncf/xds/archive/024c85f92f20cab567a83acc50934c7f9711d124.tar.gz",
+                "https://github.com/cncf/xds/archive/2ac532fd44436293585084f8d94c6bdb17835af0.tar.gz",
             ],
         )
     if not bzlmod and not native.existing_rule("com_github_grpc_grpc"):
diff --git a/xds/third_party/xds/import.sh b/xds/third_party/xds/import.sh
index 9e4bf71d52..7af5c8489d 100755
--- a/xds/third_party/xds/import.sh
+++ b/xds/third_party/xds/import.sh
@@ -17,7 +17,7 @@
 
 set -e
 # import VERSION from one of the google internal CLs
-VERSION=024c85f92f20cab567a83acc50934c7f9711d124
+VERSION=2ac532fd44436293585084f8d94c6bdb17835af0
 DOWNLOAD_URL="https://github.com/cncf/xds/archive/${VERSION}.tar.gz"
 DOWNLOAD_BASE_DIR="xds-${VERSION}"
 SOURCE_PROTO_BASE_DIR="${DOWNLOAD_BASE_DIR}"
@@ -40,6 +40,7 @@ xds/annotations/v3/versioning.proto
 xds/core/v3/authority.proto
 xds/core/v3/collection_entry.proto
 xds/core/v3/context_params.proto
+xds/core/v3/cidr.proto
 xds/core/v3/extension.proto
 xds/core/v3/resource_locator.proto
 xds/core/v3/resource_name.proto
diff --git a/xds/third_party/xds/src/main/proto/xds/core/v3/cidr.proto b/xds/third_party/xds/src/main/proto/xds/core/v3/cidr.proto
new file mode 100644
index 0000000000..c40dab2f28
--- /dev/null
+++ b/xds/third_party/xds/src/main/proto/xds/core/v3/cidr.proto
@@ -0,0 +1,25 @@
+syntax = "proto3";
+
+package xds.core.v3;
+
+import "xds/annotations/v3/status.proto";
+import "google/protobuf/wrappers.proto";
+
+import "validate/validate.proto";
+
+option java_outer_classname = "CidrRangeProto";
+option java_multiple_files = true;
+option java_package = "com.github.xds.core.v3";
+option go_package = "github.com/cncf/xds/go/xds/core/v3";
+
+option (xds.annotations.v3.file_status).work_in_progress = true;
+
+// CidrRange specifies an IP Address and a prefix length to construct
+// the subnet mask for a `CIDR <https://tools.ietf.org/html/rfc4632>`_ range.
+message CidrRange {
+  // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``.
+  string address_prefix = 1 [(validate.rules).string = {min_len: 1}];
+
+  // Length of prefix, e.g. 0, 32. Defaults to 0 when unset.
+  google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}];
+}
diff --git a/xds/third_party/xds/src/main/proto/xds/data/orca/v3/orca_load_report.proto b/xds/third_party/xds/src/main/proto/xds/data/orca/v3/orca_load_report.proto
index 53da75f78a..1b0847585a 100644
--- a/xds/third_party/xds/src/main/proto/xds/data/orca/v3/orca_load_report.proto
+++ b/xds/third_party/xds/src/main/proto/xds/data/orca/v3/orca_load_report.proto
@@ -10,7 +10,7 @@ option go_package = "github.com/cncf/xds/go/xds/data/orca/v3";
 import "validate/validate.proto";
 
 // See section `ORCA load report format` of the design document in
-// :ref:`https://github.com/envoyproxy/envoy/issues/6614`.
+// https://github.com/envoyproxy/envoy/issues/6614.
 
 message OrcaLoadReport {
   // CPU utilization expressed as a fraction of available CPU resources. This
diff --git a/xds/third_party/xds/src/main/proto/xds/type/matcher/v3/cel.proto b/xds/third_party/xds/src/main/proto/xds/type/matcher/v3/cel.proto
index b1ad1faa28..a45af9534a 100644
--- a/xds/third_party/xds/src/main/proto/xds/type/matcher/v3/cel.proto
+++ b/xds/third_party/xds/src/main/proto/xds/type/matcher/v3/cel.proto
@@ -2,9 +2,7 @@ syntax = "proto3";
 
 package xds.type.matcher.v3;
 
-import "xds/annotations/v3/status.proto";
 import "xds/type/v3/cel.proto";
-
 import "validate/validate.proto";
 
 option java_package = "com.github.xds.type.matcher.v3";
@@ -12,8 +10,6 @@ option java_outer_classname = "CelProto";
 option java_multiple_files = true;
 option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3";
 
-option (xds.annotations.v3.file_status).work_in_progress = true;
-
 // [#protodoc-title: Common Expression Language (CEL) matchers]
 
 // Performs a match by evaluating a `Common Expression Language
@@ -24,14 +20,13 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 //
 //   The match is ``true``, iff the result of the evaluation is a bool AND true.
 //   In all other cases, the match is ``false``, including but not limited to: non-bool types,
-//   ``false``, ``null``,`` int(1)``, etc.
+//   ``false``, ``null``, ``int(1)``, etc.
 //   In case CEL expression raises an error, the result of the evaluation is interpreted "no match".
 //
 // Refer to :ref:`Unified Matcher API <envoy_v3_api_msg_.xds.type.matcher.v3.Matcher>` documentation
 // for usage details.
 //
-// [#comment:TODO(sergiitk): Link HttpAttributesMatchInput + usage example.]
-// [#comment:TODO(sergiitk): When implemented, add the extension tag.]
+// [#comment: envoy.matching.matchers.cel_matcher]
 message CelMatcher {
   // Either parsed or checked representation of the CEL program.
   type.v3.CelExpression expr_match = 1 [(validate.rules).message = {required: true}];
diff --git a/xds/third_party/xds/src/main/proto/xds/type/matcher/v3/http_inputs.proto b/xds/third_party/xds/src/main/proto/xds/type/matcher/v3/http_inputs.proto
index 0dd80cd6f6..5709d64501 100644
--- a/xds/third_party/xds/src/main/proto/xds/type/matcher/v3/http_inputs.proto
+++ b/xds/third_party/xds/src/main/proto/xds/type/matcher/v3/http_inputs.proto
@@ -2,15 +2,11 @@ syntax = "proto3";
 
 package xds.type.matcher.v3;
 
-import "xds/annotations/v3/status.proto";
-
 option java_package = "com.github.xds.type.matcher.v3";
 option java_outer_classname = "HttpInputsProto";
 option java_multiple_files = true;
 option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3";
 
-option (xds.annotations.v3.file_status).work_in_progress = true;
-
 // [#protodoc-title: Common HTTP Inputs]
 
 // Specifies that matching should be performed on the set of :ref:`HTTP attributes
@@ -22,6 +18,6 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 // Refer to :ref:`Unified Matcher API <envoy_v3_api_msg_.xds.type.matcher.v3.Matcher>` documentation
 // for usage details.
 //
-// [#comment:TODO(sergiitk): When implemented, add the extension tag.]
+// [#comment: envoy.matching.inputs.cel_data_input]
 message HttpAttributesCelMatchInput {
 }
diff --git a/xds/third_party/xds/src/main/proto/xds/type/matcher/v3/matcher.proto b/xds/third_party/xds/src/main/proto/xds/type/matcher/v3/matcher.proto
index 4966b456be..cc03ff6e98 100644
--- a/xds/third_party/xds/src/main/proto/xds/type/matcher/v3/matcher.proto
+++ b/xds/third_party/xds/src/main/proto/xds/type/matcher/v3/matcher.proto
@@ -2,7 +2,6 @@ syntax = "proto3";
 
 package xds.type.matcher.v3;
 
-import "xds/annotations/v3/status.proto";
 import "xds/core/v3/extension.proto";
 import "xds/type/matcher/v3/string.proto";
 
@@ -21,8 +20,6 @@ option go_package = "github.com/cncf/xds/go/xds/type/matcher/v3";
 // As an on_no_match might result in another matching tree being evaluated, this process
 // might repeat several times until the final OnMatch (or no match) is decided.
 message Matcher {
-  option (xds.annotations.v3.message_status).work_in_progress = true;
-
   // What to do if a match is successful.
   message OnMatch {
     oneof on_match {
@@ -38,6 +35,14 @@ message Matcher {
       // Protocol-specific action to take.
       core.v3.TypedExtensionConfig action = 2;
     }
+
+    // If true and the Matcher matches, the action will be taken but the caller
+    // will behave as if the Matcher did not match. A subsequent matcher or
+    // on_no_match action will be used instead.
+    // This field is not supported in all contexts in which the matcher API is
+    // used. If this field is set in a context in which it's not supported,
+    // the resource will be rejected.
+    bool keep_matching = 3;
   }
 
   // A linear list of field matchers.
diff --git a/xds/third_party/xds/src/main/proto/xds/type/v3/cel.proto b/xds/third_party/xds/src/main/proto/xds/type/v3/cel.proto
index df4f81d90d..043990401c 100644
--- a/xds/third_party/xds/src/main/proto/xds/type/v3/cel.proto
+++ b/xds/third_party/xds/src/main/proto/xds/type/v3/cel.proto
@@ -47,6 +47,13 @@ message CelExpression {
   //
   // If set, takes precedence over ``cel_expr_parsed``.
   cel.expr.CheckedExpr cel_expr_checked = 4;
+
+  // Unparsed expression in string form. For example, ``request.headers['x-env'] == 'prod'`` will
+  // get ``x-env`` header value and compare it with ``prod``.
+  // Check the `Common Expression Language <https://github.com/google/cel-spec>`_ for more details.
+  //
+  // If set, takes precedence over ``cel_expr_parsed`` and ``cel_expr_checked``.
+  string cel_expr_string = 5;
 }
 
 // Extracts a string by evaluating a `Common Expression Language