diff --git a/pkgs/clan-cli/clan_cli/facts/generate.py b/pkgs/clan-cli/clan_cli/facts/generate.py
index 3d0dabb1d..45542b2bc 100644
--- a/pkgs/clan-cli/clan_cli/facts/generate.py
+++ b/pkgs/clan-cli/clan_cli/facts/generate.py
@@ -48,6 +48,7 @@ def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[s
             "--unshare-all",
             "--tmpfs",  "/",
             "--ro-bind", "/nix/store", "/nix/store",
+            "--ro-bind", "/bin/sh", "/bin/sh",
             "--dev", "/dev",
             # not allowed to bind procfs in some sandboxes
             "--bind", str(facts_dir), str(facts_dir),
diff --git a/pkgs/clan-cli/clan_cli/vars/generate.py b/pkgs/clan-cli/clan_cli/vars/generate.py
index c515f7967..d071b6bdc 100644
--- a/pkgs/clan-cli/clan_cli/vars/generate.py
+++ b/pkgs/clan-cli/clan_cli/vars/generate.py
@@ -103,6 +103,7 @@ def bubblewrap_cmd(generator: str, tmpdir: Path) -> list[str]:
             "--unshare-all",
             "--tmpfs",  "/",
             "--ro-bind", "/nix/store", "/nix/store",
+            "--ro-bind", "/bin/sh", "/bin/sh",
             *(["--ro-bind", str(test_store), str(test_store)] if test_store else []),
             "--dev", "/dev",
             # not allowed to bind procfs in some sandboxes