Summary IBM Sterling Partner Engagement Manager's JWT secret is stored in public Helm Charts and is not stored as a Kubernetes secret. This issue has been addressed in the latest Helm Chart. Vulnerability Details CVEID:CVE-2025-33093 DESCRIPTION: IBM Sterling Partner Engagement Manager's JWT secret is stored in public Helm Charts and is not stored as a Kubernetes secret. CWE:CWE-260: Password in Configuration File CVSS Source: IBM CVSS Base score: 7.5 CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions Affected Product(s)| Version(s) —|— PEM| 6.1.x PEM| 6.2.x Remediation/Fixes Product| Version(s)| Remediation/Fix/Instructions —|—|— IBM Sterling Partner Engagement Manager Standard Edition / Essentials Edition| 6.1.x, 6.2.0,6.2.3, 6.24| 6.2.0,6.2.3,6.2.4 Workarounds and Mitigations Behavioural Change As part of recent changes to the Helm chart configuration, the default values for the JWT secrets in the following fields — communitymanager.nonprod/prod.setupfile.jwt.secretkey and communitymanager.nonprod/prod.setupfile.saml.jwt.secretkey — have been removed. These properties are now mandatory: a valid, non-empty secret key must be provided by the user during deployment. This change ensures that deployments eliminate the use of weak or hardcoded defaults. If the JWT secret is not provided, the Helm chart will raise an error and halt the installation or upgrade process. Guidance on generating the secret property The JWT…Read More