Summary
The nono Landlock/seccomp policies allow access to local Unix domain sockets (concrete and abstract). This allows an easy sandbox escape by talking to the per-user systemd dbus socket.
Threat scenario: Running Aider, Claude Code, OpenCode or similar tools with "allow bash" policy so that it can invoke arbitrary host tools like make, gcc, etc. to write code.
Reproducer
Here, instead of running a tool like opencode or claude one can just invoke systemd-run, but this is something an agent could be tricked into doing:
$ cd ~/src/myproject
$ nono run -s --allow-cwd --profile claude-code -- \
systemd-run --user -q --wait --collect \
/bin/sh -c "echo oops > ~/Documents/escaped.txt"
$ cat /var/home/test/Documents/escaped.txt
oops
$
Maintainer Context
This issue allows a process running inside the sandbox to escape confinement by interacting with local user-scoped IPC mechanisms and regain the authority already held by the invoking user or service account.
The issue impacts the sandbox’s confinement and blast-radius reduction guarantees for agents and sandboxed tooling. However, exploitation does not provide privilege escalation, cross-user access, or host compromise beyond the permissions already available to the launcher outside the sandbox.
This issue affects the CLI policy layer and bundled sandbox profiles. The underlying core library nono does not ship with policy definitions or agent-facing confinement profiles by default, nor do the language SDKs.
This is considered a serious issue because an AI agent or untrusted command stream operating within the sandbox could abuse the bypass to perform unauthorized or destructive actions using the delegated authority of the launching user.
The root cause was incomplete mediation of local Unix domain socket access within affected sandbox policies. Support for restricting this behavior has since been added and the fix is available in the repository pending release.
CVSS rationale: exploitation requires execution within a locally launched sandboxed process using the authority already delegated by the invoking user or service account (AV:L/PR:L). The issue allows reliable bypass of sandbox confinement and policy guarantees, resulting in high integrity impact (I:H) and limited availability impact (A:L) through destructive actions within the launcher’s existing permissions. However, the issue does not provide privilege escalation, cross-user access, or a change in security scope (S:U).
Impact
Complete sandbox escape. The unsandboxed sibling process can write anywhere the user can write, spawn arbitrary processes with network access, etc.
The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.
CVE-2026-47128 has a CVSS score of 6.1 (Medium). The vector is requires local access, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.55.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-47128? CVE-2026-47128 is a medium-severity incorrect authorization vulnerability in nono-cli (rust), affecting versions < 0.55.0. It is fixed in 0.55.0. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
- How severe is CVE-2026-47128? CVE-2026-47128 has a CVSS score of 6.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of nono-cli are affected by CVE-2026-47128? nono-cli (rust) versions < 0.55.0 is affected.
- Is there a fix for CVE-2026-47128? Yes. CVE-2026-47128 is fixed in 0.55.0. Upgrade to this version or later.
- Is CVE-2026-47128 exploitable, and should I be worried? Whether CVE-2026-47128 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-47128 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-47128? Upgrade
nono-clito 0.55.0 or later.