CVE-2024-0861 is a security vulnerability classified under CWE-425 (Direct Request, also known as Forced Browsing) affecting GitLab Enterprise Edition (EE) versions 16.4 through before 16.7.6, 16.8 through before 16.8.3, and 16.9 before 16.9.1. The flaw allows users assigned the 'Guest' role—normally restricted in permissions—to modify 'Custom dashboard projects' settings, which should be beyond their access rights. This vulnerability arises due to insufficient access control checks on the endpoint handling these settings, enabling unauthorized direct requests to alter configurations. The vulnerability is remotely exploitable over the network without requiring user interaction, but it does require the attacker to have at least Guest-level privileges within the affected GitLab instance. The CVSS v3.1 base score is 4.3 (medium severity), reflecting limited impact on confidentiality and availability but a potential integrity impact due to unauthorized modification of project dashboard settings. No known exploits are currently reported in the wild, and no official patches are linked in the provided data, though GitLab typically addresses such issues in minor version updates. The vulnerability could be leveraged by malicious insiders or external attackers who have obtained Guest access to manipulate project dashboards, potentially misleading users or disrupting project visibility and management workflows.

For European organizations using GitLab EE versions within the affected ranges, this vulnerability poses a moderate risk primarily to the integrity of project management data. Unauthorized changes to custom dashboard projects could lead to misinformation, misrepresentation of project statuses, or disruption of team workflows. While it does not directly compromise source code confidentiality or system availability, the integrity impact could indirectly affect decision-making and project tracking. Organizations in sectors with strict compliance requirements (e.g., finance, healthcare, government) may face regulatory scrutiny if such unauthorized changes lead to audit failures or operational errors. Additionally, organizations with large, distributed development teams relying heavily on GitLab dashboards for coordination may experience operational inefficiencies or increased risk of insider threats exploiting this vulnerability.

European organizations should promptly identify GitLab EE instances running affected versions (16.4 up to before 16.7.6, 16.8 up to before 16.8.3, and 16.9 before 16.9.1) and plan for immediate upgrades to patched versions once available. In the interim, restrict Guest role assignments to trusted users only and audit existing Guest accounts for necessity and legitimacy. Implement strict network segmentation and access controls to limit exposure of GitLab instances to untrusted networks. Monitor GitLab logs for unusual activity related to dashboard settings changes, especially from Guest users. Employ multi-factor authentication (MFA) and strong identity management to reduce the risk of unauthorized Guest access. Consider disabling or limiting custom dashboard features if feasible until patches are applied. Engage with GitLab support or security advisories to obtain official patches or workarounds as soon as they are released.