diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index cae592f..06ccf99 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -21,6 +21,11 @@ concurrency:
 env:
   E2E_NAMESPACE: privilegedescalation-dev
   E2E_RELEASE: headlamp-e2e
+  # Pin to a known-good Headlamp version. Using :latest is risky because
+  # the tag can change between CI runs, causing flaky failures when a newer
+  # image is pulled on some nodes but not others (IfNotPresent pull policy).
+  # Update this when Headlamp is upgraded in production (kube-system).
+  HEADLAMP_VERSION: v0.40.1
 
 jobs:
   e2e:
diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh
index 1b19583..528c017 100755
--- a/scripts/deploy-e2e-headlamp.sh
+++ b/scripts/deploy-e2e-headlamp.sh
@@ -16,7 +16,7 @@
 # Environment:
 #   E2E_NAMESPACE     — namespace for E2E Headlamp (default: privilegedescalation-dev)
 #   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
-#   HEADLAMP_VERSION  — Headlamp image tag (default: latest)
+#   HEADLAMP_VERSION  — Headlamp image tag (default: v0.40.1, pinned to match production)
 set -euo pipefail
 
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
@@ -24,7 +24,7 @@ DIST_DIR="$REPO_ROOT/dist"
 
 E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
-HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}"
+HEADLAMP_VERSION="${HEADLAMP_VERSION:-v0.40.1}"
 
 if [ ! -d "$DIST_DIR" ]; then
   echo "ERROR: dist/ not found. Run 'npm run build' first." >&2