nono-cli CVE-2026-47128
MEDIUMSeverity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The nono Landlock/seccomp policies allow access to local Unix domain sockets (concrete and abstract). This allows an easy sandbox escape by talking to the per-user systemd dbus socket.
Threat scenario: Running Aider, Claude Code, OpenCode or similar tools with "allow bash" policy so that it can invoke arbitrary host tools like make, gcc, etc. to write code.
Reproducer
Here, instead of running a tool like opencode or claude one can just invoke systemd-run, but this is something an agent could be tricked into doing:
$ cd ~/src/myproject
$ nono run -s --allow-cwd --profile claude-code -- \
systemd-run --user -q --wait --collect \
/bin/sh -c "echo oops > ~/Documents/escaped.txt"
$ cat /var/home/test/Documents/escaped.txt
oops
$Impact
Complete sandbox escape. The unsandboxed sibling process can write anywhere the user can write, spawn arbitrary processes with network access, etc.
Maintainer Context
This issue allows a process running inside the sandbox to escape confinement by interacting with local user-scoped IPC mechanisms and regain the authority already held by the invoking user or service account.
The issue impacts the sandbox’s confinement and blast-radius reduction guarantees for agents and sandboxed tooling. However, exploitation does not provide privilege escalation, cross-user access, or host compromise beyond the permissions already available to the launcher outside the sandbox.
This issue affects the CLI policy layer and bundled sandbox profiles. The underlying core library nono does not ship with policy definitions or agent-facing confinement profiles by default, nor do the language SDKs.
This is considered a serious issue because an AI agent or untrusted command stream operating within the sandbox could abuse the bypass to perform unauthorized or destructive actions using the delegated authority of the launching user.
The root cause was incomplete mediation of local Unix domain socket access within affected sandbox policies. Support for restricting this behavior has since been added and the fix is available in the repository pending release.
CVSS rationale: exploitation requires execution within a locally launched sandboxed process using the authority already delegated by the invoking user or service account (AV:L/PR:L). The issue allows reliable bypass of sandbox confinement and policy guarantees, resulting in high integrity impact (I:H) and limited availability impact (A:L) through destructive actions within the launcher’s existing permissions. However, the issue does not provide privilege escalation, cross-user access, or a change in security scope (S:U).
AnalysisAI
Sandbox escape in nono-cli allows a sandboxed process to fully break out of Landlock/seccomp confinement by communicating over the unmediated per-user systemd D-Bus Unix domain socket. Versions prior to 0.55.0 of the Rust CLI crate are affected, specifically when using bundled profiles such as 'claude-code' that permit bash execution. An attacker - or a prompt-injected AI coding agent - can invoke systemd-run --user from within the sandbox to spawn an unsandboxed sibling process capable of writing anywhere the launching user can write, executing arbitrary commands, and establishing network connections. A working proof-of-concept reproducer is publicly available in the GitHub Security Advisory GHSA-27vp-2mmc-vmh3; no CISA KEV listing exists at time of analysis.
Technical ContextAI
nono is a Rust-based sandboxing CLI tool that uses Linux Landlock LSM and seccomp BPF to confine child processes according to configurable policy profiles. CWE-863 (Incorrect Authorization) identifies the root cause: the bundled sandbox profiles, including the 'claude-code' profile, performed incomplete mediation of local Unix domain socket access. Linux supports two types of Unix domain sockets - concrete filesystem-path-bound sockets and abstract namespace sockets (which bypass the filesystem entirely). Neither was restricted by the affected policies. The per-user systemd D-Bus socket at /run/user/<uid>/bus is exposed as a Unix domain socket, and a sandboxed process retaining access to it can invoke systemd-run --user to request that the host's user systemd instance spawn new, fully unsandboxed services. The affected package is identified by CPE as pkg:rust/nono-cli. The vulnerability exists in the CLI policy layer and bundled profile definitions only; the core nono library and language SDKs do not ship policy definitions and are not affected.
RemediationAI
Upgrade nono-cli to version 0.55.0 or later, which adds support for restricting Unix domain socket access - both concrete and abstract namespace - within sandbox policies, closing the D-Bus escape vector. The fix is confirmed available in the upstream repository per GHSA-27vp-2mmc-vmh3 (https://github.com/always-further/nono/security/advisories/GHSA-27vp-2mmc-vmh3); operators should verify the 0.55.0 release is published to crates.io before deploying, as the advisory noted the fix was 'pending release' at time of disclosure. As a compensating control prior to patching, avoid running AI agents or untrusted command streams under profiles that combine 'allow bash' with access to the host D-Bus socket - note this substantially reduces agent functionality, particularly for workflows invoking build tools. A more targeted workaround is to run the sandboxed workload inside a dedicated unprivileged user session where no systemd user instance is active (for example, a minimal OCI container without systemd-user), which eliminates the D-Bus escape path at the cost of disabling systemd user services in that environment.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-27vp-2mmc-vmh3