Title: NutzBoot project (Nutz community) NutzBoot (Web3j starter + demo module) NutzBoot 2.6.0-SNAPSHOT Improper Access Control (Unauthenticated transaction API) Description: The same Web3j demo module that loads wallet credentials also provides a convenience endpoint to trigger transfers. The method performs the following steps: Accepts from and to path segments and a wei query parameter. Ensures the amount is 0.01–100 ether. Fetches the Web3jAccount matching the from name and obtains its stored password. Calls web3jAdmin.personalSendTransaction(...), which unlocks the account and sends the transaction. No user identity is checked, and the route is accessible with an ordinary GET request. Consequently, anyone can spend the funds of any configured account by making a single HTTP call. Source: https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-UnauthorizedTransfer-1/report.md User: sh7err03 (UID 92418) Submission: 11/10/2025 11:53 AM (24 days ago) Moderation: 11/30/2025 03:13 PM (20 days later) Status: Accepted VulDB entry: 333816 [nutzam NutzBoot up to 2.6.0-SNAPSHOT Transaction API EthModule.java from/to/wei improper authorization] Points: 20