CVE-2026-47128

MEDIUMPre-NVD 6.16.1
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.1 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 98% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
6.1
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 6.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

nono: Sandbox escape on Linux via D-Bus: systemd-run --user

Summary

The nono Landlock/seccomp policies allow access to local Unix domain sockets (concrete and abstract). This allows an easy sandbox escape by talking to the per-user systemd dbus socket.

Threat scenario: Running Aider, Claude Code, OpenCode or similar tools with "allow bash" policy so that it can invoke arbitrary host tools like make, gcc, etc. to write code.

Reproducer

Here, instead of running a tool like opencode or claude one can just invoke systemd-run, but this is something an agent could be tricked into doing:

$ cd ~/src/myproject
$ nono run -s --allow-cwd --profile claude-code -- \
      systemd-run --user -q --wait --collect \
      /bin/sh -c "echo oops > ~/Documents/escaped.txt"
$ cat /var/home/test/Documents/escaped.txt
oops
$

Impact

Complete sandbox escape. The unsandboxed sibling process can write anywhere the user can write, spawn arbitrary processes with network access, etc.

Maintainer Context

This issue allows a process running inside the sandbox to escape confinement by interacting with local user-scoped IPC mechanisms and regain the authority already held by the invoking user or service account.

The issue impacts the sandbox’s confinement and blast-radius reduction guarantees for agents and sandboxed tooling. However, exploitation does not provide privilege escalation, cross-user access, or host compromise beyond the permissions already available to the launcher outside the sandbox.

This issue affects the CLI policy layer and bundled sandbox profiles. The underlying core library nono does not ship with policy definitions or agent-facing confinement profiles by default, nor do the language SDKs.

This is considered a serious issue because an AI agent or untrusted command stream operating within the sandbox could abuse the bypass to perform unauthorized or destructive actions using the delegated authority of the launching user.

The root cause was incomplete mediation of local Unix domain socket access within affected sandbox policies. Support for restricting this behavior has since been added and the fix is available in the repository pending release.

CVSS rationale: exploitation requires execution within a locally launched sandboxed process using the authority already delegated by the invoking user or service account (AV:L/PR:L). The issue allows reliable bypass of sandbox confinement and policy guarantees, resulting in high integrity impact (I:H) and limited availability impact (A:L) through destructive actions within the launcher’s existing permissions. However, the issue does not provide privilege escalation, cross-user access, or a change in security scope (S:U).

CVSS v3
6.1
EG Score
6.1(low)
EPSS
1.8%
KEV
Not listed

Published

May 28, 2026

Last Modified

May 28, 2026

Vendor Advisories for CVE-2026-47128(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
crates.io(1)
PackageVulnerable rangeFixed inDependents
nono-cli0.55.0

Data Freshness Timeline

(refreshed 2× in last 7d / 13× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-16 02:41 UTCEG score recompute
  2. 2026-07-11 19:19 UTCEG score recompute
  3. 2026-07-08 17:46 UTCEG score recompute
  4. 2026-07-02 10:19 UTCEG score recompute
  5. 2026-07-01 02:30 UTCEG score recompute
  6. 2026-06-29 19:54 UTCEG score recompute
  7. 2026-06-28 19:15 UTCEG score recompute
  8. 2026-06-27 18:25 UTCEG score recompute
  9. 2026-06-26 17:45 UTCEG score recompute
  10. 2026-06-25 17:05 UTCEG score recompute
  11. 2026-06-24 16:20 UTCEG score recompute
  12. 2026-06-18 23:52 UTCEG score recompute
  13. 2026-06-17 17:48 UTCEG score recompute
  14. 2026-06-16 15:36 UTCEG score recompute
  15. 2026-06-15 12:49 UTCEG score recompute
  16. 2026-06-14 23:18 UTCEPSS rescore
  17. 2026-06-14 09:41 UTCEG score recompute
  18. 2026-06-13 23:00 UTCEPSS rescore
  19. 2026-06-13 08:59 UTCEG score recompute
  20. 2026-06-12 23:12 UTCEPSS rescore
  21. 2026-06-12 08:19 UTCEG score recompute
  22. 2026-06-11 07:40 UTCEG score recompute
  23. 2026-06-10 07:01 UTCEG score recompute
  24. 2026-06-09 06:18 UTCEG score recompute
  25. 2026-06-08 05:38 UTCEG score recompute
Show 8 more
  1. 2026-06-07 04:58 UTCEG score recompute
  2. 2026-06-06 04:19 UTCEG score recompute
  3. 2026-06-05 03:40 UTCEG score recompute
  4. 2026-06-04 03:00 UTCEG score recompute
  5. 2026-06-03 02:20 UTCEG score recompute
  6. 2026-06-02 01:40 UTCEG score recompute
  7. 2026-06-01 01:01 UTCEG score recompute
  8. 2026-05-28 20:06 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-47128?
CVE-2026-47128 is a medium vulnerability published on May 28, 2026. nono: Sandbox escape on Linux via D-Bus: systemd-run --user Summary The nono Landlock/seccomp policies allow access to local Unix domain sockets (concrete and abstract). This allows an easy sandbox escape by talking to the per-user systemd dbus socket. Threat scenario: Running Aider, Claude Code,…
When was CVE-2026-47128 disclosed?
CVE-2026-47128 was first published in the National Vulnerability Database on May 28, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47128 actively exploited?
CVE-2026-47128 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 1.8% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-47128?
CVE-2026-47128 has a CVSS v4.0 base score of 6.1 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-47128?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47128, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47128

Explore →

Is Your Infrastructure Affected by CVE-2026-47128?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.