Unrestricted connection between the Marzban-Node and Marzban-Dashboard

[mmx2004]

When adding a Node in the Marzban-Dashboard, it displays a Certification that ideally needs to be copied into the Node. However, even without copying this Certification, the Node can still be connected to the Dashboard and used without any issues. This presents a significant security flaw that requires immediate attention and resolution.

[SaintShit]

@mmx2004 there are a bunch of nodes out there that don't have a copy of the certificate yet, which can cause a node stop working after updating Marzban. so, currently, we implemented the safe way and suggest users to update their nodes. we hope that the awareness about this will increase with the completion of our documentation.

[mmx2004]

But It appears that even the previous version of Marzban-Node lacks sufficient protection against unauthorized use. With the correct version of Marzban-Dashboard, one could potentially utilize another individual's Marzban-Node, which poses a significant security concern. This situation is far from ideal and requires immediate attention to ensure proper security measures are in place.

[M03ED]

This is why marzban removed the old method for nodes , in the new version unauthorized marzban can't connect nodes.

[xshayank]

This is why marzban removed the old method for nodes , in the new version unauthorized marzban can't connect nodes.

I think they are having this issue in the new version not the old one

[SaintShit]

But It appears that even the previous version of Marzban-Node lacks sufficient protection against unauthorized use. With the correct version of Marzban-Dashboard, one could potentially utilize another individual's Marzban-Node, which poses a significant security concern. This situation is far from ideal and requires immediate attention to ensure proper security measures are in place.

can u provide some details on how this could happen?