diff --git a/CHANGELOG.md b/CHANGELOG.md
index d66bd4b3d..99d220a80 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 
+### Added
+
+- Nix store access to the default sandbox
+
 ### Fixed
 
 - Unclear error when running `phylum init` with an invalid organization
diff --git a/cli/src/permissions.rs b/cli/src/permissions.rs
index ed1d75268..5d98e0de0 100644
--- a/cli/src/permissions.rs
+++ b/cli/src/permissions.rs
@@ -310,6 +310,9 @@ pub fn default_sandbox() -> SandboxResult<Birdcage> {
     add_exception(&mut birdcage, Exception::ExecuteAndRead("/opt/homebrew".into()))?;
     add_exception(&mut birdcage, Exception::ExecuteAndRead("/usr/local".into()))?;
 
+    // NixOS stores all system files under /nix/store.
+    add_exception(&mut birdcage, Exception::ExecuteAndRead("/nix/store".into()))?;
+
     // Allow access to DNS list.
     //
     // While this is required to send DNS requests for network queries, this does