nono-cli: sandbox escape via Unix socket bypass — MEDIUM (CVE-2026-47128)

Q: Is CVE-2026-47128 actively exploited?

No confirmed active exploitation of CVE-2026-47128 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-47128?

1. Upgrade nono-cli to 0.55.0 immediately—this release adds Unix domain socket mediation that closes the D-Bus escape path. 2. If patching is blocked, restrict the per-user D-Bus socket via systemd.socket unit overrides or remove it from the user session environment. 3. Audit all agent deployments using nono with --allow-bash or shell execution policies and treat them as effectively unconfined until patched. 4. For detection: monitor for unexpected systemd-run --user invocations or D-Bus socket connections from processes descending from AI agent parent processes (audit rules on dbus-daemon or systemd --user). 5. Apply defense-in-depth by running AI coding agents under dedicated low-privilege service accounts to limit the scope of any future escape.

Q: What systems are affected by CVE-2026-47128?

This vulnerability affects the following AI/ML architecture patterns: AI coding agent sandboxes, local AI development environments, agent frameworks with shell access.

Q: What is the CVSS score for CVE-2026-47128?

CVE-2026-47128 has a CVSS v3.1 base score of 6.1 (MEDIUM).

CISO Take

nono-cli's Landlock/seccomp sandbox policies fail to restrict access to Unix domain sockets—including abstract sockets—allowing any process inside the sandbox to reach the per-user systemd D-Bus socket and spawn arbitrary processes outside confinement. Organizations running AI coding agents such as Claude Code, Aider, or OpenCode with shell execution enabled under nono are the primary exposure: a prompt-injected or misbehaving agent can invoke systemd-run via D-Bus to escape confinement and operate with the full filesystem and network permissions of the launching user. With attack complexity rated Low and no public exploit required, the barrier is minimal—any untrusted command stream the agent executes could weaponize this path in a single shell invocation. Upgrade to nono-cli 0.55.0 immediately, which adds explicit Unix domain socket mediation; if patching is blocked, restrict systemd user socket access or avoid running AI agents with shell execution under unpatched nono policies.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Although rated Medium (CVSS 6.1) due to local attack vector and no cross-user privilege escalation, practical risk for AI agent deployments is elevated. The exploit is trivially reproducible with a single shell command requiring only low-privilege access—precisely what sandboxed agents already hold. This directly undermines nono's core security guarantee of blast-radius reduction for AI coding agents, making it high-risk for any organization relying on nono as a confinement boundary. Eight prior CVEs in the same package further signal a pattern of incomplete security mediation in the sandboxing layer, lowering confidence in compensating controls.

Attack Kill Chain

Initial Access

Malicious content—via prompt injection, a poisoned repository, or an adversarial task—causes an AI coding agent running inside the nono sandbox to execute an attacker-controlled shell command.

AML.T0051.001

Sandbox Escape

The shell command contacts the per-user systemd D-Bus socket, which nono's Landlock/seccomp policies leave unrestricted, and invokes systemd-run --user to spawn a sibling process outside confinement.

AML.T0105

Unrestricted Execution

The spawned sibling process operates with the launching user's full OS permissions outside any sandbox boundary, able to write arbitrary files, read credentials, and open network connections.

AML.T0053

Impact

Attacker achieves data exfiltration of SSH keys, API tokens, or source code; persistent backdoor installation; or lateral movement within the user's permission scope—all undetected by nono's confinement audit log.

AML.T0112.000

Initial Access

Malicious content—via prompt injection, a poisoned repository, or an adversarial task—causes an AI coding agent running inside the nono sandbox to execute an attacker-controlled shell command.

AML.T0051.001

Sandbox Escape

The shell command contacts the per-user systemd D-Bus socket, which nono's Landlock/seccomp policies leave unrestricted, and invokes systemd-run --user to spawn a sibling process outside confinement.

AML.T0105

Unrestricted Execution

The spawned sibling process operates with the launching user's full OS permissions outside any sandbox boundary, able to write arbitrary files, read credentials, and open network connections.

AML.T0053

Impact

Attacker achieves data exfiltration of SSH keys, API tokens, or source code; persistent backdoor installation; or lateral movement within the user's permission scope—all undetected by nono's confinement audit log.

AML.T0112.000

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
claude-code	npm	—	No patch
126.1K Pushed 5d ago 39% patched ~3d to patch Full package profile →
nono-cli	cargo	< 0.55.0	`0.55.0`
126.1K Pushed 5d ago 39% patched ~3d to patch Full package profile →

Severity & Risk

CVSS 3.1

6.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I High

A Low

What should I do?

5 steps

Upgrade nono-cli to 0.55.0 immediately—this release adds Unix domain socket mediation that closes the D-Bus escape path.
If patching is blocked, restrict the per-user D-Bus socket via systemd.socket unit overrides or remove it from the user session environment.
Audit all agent deployments using nono with --allow-bash or shell execution policies and treat them as effectively unconfined until patched.
For detection: monitor for unexpected systemd-run --user invocations or D-Bus socket connections from processes descending from AI agent parent processes (audit rules on dbus-daemon or systemd --user).
Apply defense-in-depth by running AI coding agents under dedicated low-privilege service accounts to limit the scope of any future escape.

Classification

Code Execution Auth Bypass Agent Plugin AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0105 - Escape to Host AML.T0112.000 - Local AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.5 - AI system security and privacy by design

NIST AI RMF

GOVERN-6.1 - Policies and procedures for AI risk management

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-47128?

nono-cli's Landlock/seccomp sandbox policies fail to restrict access to Unix domain sockets—including abstract sockets—allowing any process inside the sandbox to reach the per-user systemd D-Bus socket and spawn arbitrary processes outside confinement. Organizations running AI coding agents such as Claude Code, Aider, or OpenCode with shell execution enabled under nono are the primary exposure: a prompt-injected or misbehaving agent can invoke systemd-run via D-Bus to escape confinement and operate with the full filesystem and network permissions of the launching user. With attack complexity rated Low and no public exploit required, the barrier is minimal—any untrusted command stream the agent executes could weaponize this path in a single shell invocation. Upgrade to nono-cli 0.55.0 immediately, which adds explicit Unix domain socket mediation; if patching is blocked, restrict systemd user socket access or avoid running AI agents with shell execution under unpatched nono policies.

Is CVE-2026-47128 actively exploited?

No confirmed active exploitation of CVE-2026-47128 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-47128?

1. Upgrade nono-cli to 0.55.0 immediately—this release adds Unix domain socket mediation that closes the D-Bus escape path. 2. If patching is blocked, restrict the per-user D-Bus socket via systemd.socket unit overrides or remove it from the user session environment. 3. Audit all agent deployments using nono with --allow-bash or shell execution policies and treat them as effectively unconfined until patched. 4. For detection: monitor for unexpected systemd-run --user invocations or D-Bus socket connections from processes descending from AI agent parent processes (audit rules on dbus-daemon or systemd --user). 5. Apply defense-in-depth by running AI coding agents under dedicated low-privilege service accounts to limit the scope of any future escape.

What systems are affected by CVE-2026-47128?

This vulnerability affects the following AI/ML architecture patterns: AI coding agent sandboxes, local AI development environments, agent frameworks with shell access.

What is the CVSS score for CVE-2026-47128?

CVE-2026-47128 has a CVSS v3.1 base score of 6.1 (MEDIUM).

AI Security Impact

Affected AI Architectures

AI coding agent sandboxeslocal AI development environmentsagent frameworks with shell access

MITRE ATLAS Techniques

AML.T0051.001 Indirect

AML.T0053 AI Agent Tool Invocation

AML.T0105 Escape to Host

AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.8.5

NIST AI RMF: GOVERN-6.1

OWASP LLM Top 10: LLM06:2025

Technical Details

Original Advisory

### Summary The nono Landlock/seccomp policies allow access to local Unix domain sockets (concrete and abstract). This allows an easy sandbox escape by talking to the per-user systemd dbus socket. Threat scenario: Running Aider, Claude Code, OpenCode or similar tools with "allow bash" policy so that it can invoke arbitrary host tools like `make`, `gcc`, etc. to write code. ### Reproducer Here, instead of running a tool like `opencode` or `claude` one can just invoke `systemd-run`, but this is something an agent could be tricked into doing: ```bash $ cd ~/src/myproject $ nono run -s --allow-cwd --profile claude-code -- \ systemd-run --user -q --wait --collect \ /bin/sh -c "echo oops > ~/Documents/escaped.txt" $ cat /var/home/test/Documents/escaped.txt oops $ ``` ### Impact Complete sandbox escape. The unsandboxed sibling process can write anywhere the user can write, spawn arbitrary processes with network access, etc. ### Maintainer Context This issue allows a process running inside the sandbox to escape confinement by interacting with local user-scoped IPC mechanisms and regain the authority already held by the invoking user or service account. The issue impacts the sandbox’s confinement and blast-radius reduction guarantees for agents and sandboxed tooling. However, exploitation does not provide privilege escalation, cross-user access, or host compromise beyond the permissions already available to the launcher outside the sandbox. This issue affects the CLI policy layer and bundled sandbox profiles. The underlying core library `nono` does not ship with policy definitions or agent-facing confinement profiles by default, nor do the language SDKs. This is considered a serious issue because an AI agent or untrusted command stream operating within the sandbox could abuse the bypass to perform unauthorized or destructive actions using the delegated authority of the launching user. The root cause was incomplete mediation of local Unix domain socket access within affected sandbox policies. Support for restricting this behavior has since been added and the fix is available in the repository pending release. CVSS rationale: exploitation requires execution within a locally launched sandboxed process using the authority already delegated by the invoking user or service account (`AV:L/PR:L`). The issue allows reliable bypass of sandbox confinement and policy guarantees, resulting in high integrity impact (`I:H`) and limited availability impact (`A:L`) through destructive actions within the launcher’s existing permissions. However, the issue does not provide privilege escalation, cross-user access, or a change in security scope (`S:U`).

Exploitation Scenario

An adversary embeds malicious instructions in a repository, document, or upstream dependency that an AI coding agent is directed to process. The injected prompt frames a shell command as a legitimate build or test step, instructing the agent to invoke systemd-run --user via the unmediated D-Bus socket. The resulting process spawns outside the nono sandbox with the launching user's full OS permissions, enabling silent exfiltration of SSH keys, API tokens, or source code, or installation of a persistent backdoor—all while nono's audit log shows only a normal shell invocation within the sandbox.