diff --git a/docker-compose.full.yml b/docker-compose.full.yml
index 0e7064eff7..79aa0d8746 100644
--- a/docker-compose.full.yml
+++ b/docker-compose.full.yml
@@ -148,21 +148,21 @@ services:
 
   keycloak:
     image: ghcr.io/wundergraph/cosmo/keycloak:${DC_KEYCLOAK_VERSION:-latest}
+    command: ['start-dev', '--import-realm', '--optimized']
     environment:
-      KEYCLOAK_EXTRA_ARGS: '--import-realm --optimized'
-      KEYCLOAK_ENABLE_HEALTH_ENDPOINTS: 'true'
-      KEYCLOAK_ENABLE_STATISTICS: 'true'
-      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin}
-      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-changeme}
-      KEYCLOAK_DATABASE_PORT: ${POSTGRES_PORT:-5432}
-      KEYCLOAK_DATABASE_HOST: ${POSTGRES_HOST:-postgres}
-      KEYCLOAK_DATABASE_NAME: ${POSTGRES_DB_NAME:-keycloak}
-      KEYCLOAK_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-changeme}
-      KEYCLOAK_DATABASE_USER: ${POSTGRES_USER:-postgres}
+      KC_HEALTH_ENABLED: 'true'
+      KC_METRICS_ENABLED: 'true'
+      KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_ADMIN:-admin}
+      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-changeme}
+      KC_DB_URL_PORT: ${POSTGRES_PORT:-5432}
+      KC_DB_URL_HOST: ${POSTGRES_HOST:-postgres}
+      KC_DB_URL_DATABASE: ${POSTGRES_DB_NAME:-keycloak}
+      KC_DB_PASSWORD: ${POSTGRES_PASSWORD:-changeme}
+      KC_DB_USERNAME: ${POSTGRES_USER:-postgres}
     ports:
       - '8080:8080'
     volumes:
-      - ./docker/keycloak/realm.json:/opt/bitnami/keycloak/data/import/realm.json:ro
+      - ./docker/keycloak/realm.json:/opt/keycloak/data/import/realm.json:ro
     restart: unless-stopped
     networks:
       - primary
diff --git a/docker-compose.yml b/docker-compose.yml
index d44c3c358a..cac97cfc83 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -23,21 +23,21 @@ services:
     build:
       context: keycloak
       dockerfile: Dockerfile
+    command: ['start-dev', '--import-realm', '--optimized']
     environment:
-      KEYCLOAK_EXTRA_ARGS: '--import-realm --optimized'
-      KEYCLOAK_ENABLE_HEALTH_ENDPOINTS: 'true'
-      KEYCLOAK_ENABLE_STATISTICS: 'true'
-      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin}
-      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-changeme}
-      KEYCLOAK_DATABASE_PORT: ${POSTGRES_PORT:-5432}
-      KEYCLOAK_DATABASE_HOST: ${POSTGRES_HOST:-postgres}
-      KEYCLOAK_DATABASE_NAME: ${POSTGRES_DB_NAME:-keycloak}
-      KEYCLOAK_DATABASE_PASSWORD: ${POSTGRES_PASSWORD:-changeme}
-      KEYCLOAK_DATABASE_USER: ${POSTGRES_USER:-postgres}
+      KC_HEALTH_ENABLED: 'true'
+      KC_METRICS_ENABLED: 'true'
+      KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_ADMIN:-admin}
+      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-changeme}
+      KC_DB_URL_PORT: ${POSTGRES_PORT:-5432}
+      KC_DB_URL_HOST: ${POSTGRES_HOST:-postgres}
+      KC_DB_URL_DATABASE: ${POSTGRES_DB_NAME:-keycloak}
+      KC_DB_PASSWORD: ${POSTGRES_PASSWORD:-changeme}
+      KC_DB_USERNAME: ${POSTGRES_USER:-postgres}
     ports:
       - '8080:8080'
     volumes:
-      - ./docker/keycloak/realm.json:/opt/bitnami/keycloak/data/import/realm.json:ro
+      - ./docker/keycloak/realm.json:/opt/keycloak/data/import/realm.json:ro
     restart: unless-stopped
     depends_on:
       - postgres
diff --git a/helm/cosmo/values.yaml b/helm/cosmo/values.yaml
index 45460528d4..4758ac5044 100644
--- a/helm/cosmo/values.yaml
+++ b/helm/cosmo/values.yaml
@@ -350,6 +350,7 @@ graphqlmetrics:
 
 # Keycloak for the Cosmo Controlplane & Studio
 # https://artifacthub.io/packages/helm/bitnami/keycloak
+# TODO(pepol): Move to 'codecentric/keycloakx' chart once new keycloak image is built and released
 keycloak:
   # Production requires TLS
   production: false
diff --git a/keycloak/Dockerfile b/keycloak/Dockerfile
index bf024f4447..6a0fcde476 100644
--- a/keycloak/Dockerfile
+++ b/keycloak/Dockerfile
@@ -1,4 +1,6 @@
-FROM --platform=${BUILDPLATFORM} timbru31/java-node:17-jdk-22
+ARG KEYCLOAK_VERSION=26.2.5
+
+FROM --platform=${BUILDPLATFORM} timbru31/java-node:17-jdk-22 AS themebuilder
 
 WORKDIR /app
 
@@ -12,14 +14,32 @@ COPY ./theme .
 
 RUN ./build.sh
 
-FROM --platform=${TARGETPLATFORM} bitnamilegacy/keycloak:26.2.5
+FROM quay.io/keycloak/keycloak:${KEYCLOAK_VERSION} AS builder
+
+ENV KC_DB=postgres
+ENV KC_METRICS_ENABLED=true
+ENV KC_HEALTH_ENABLED=true
+ENV KC_HTTP_RELATIVE_PATH="/"
 
-COPY --from=0 /app/target/*.jar /opt/bitnami/keycloak/providers/
+WORKDIR /opt/keycloak
+
+COPY --from=themebuilder /app/target/*.jar /opt/keycloak/providers/
 
 # Prebuild keycloak for using with postgres for faster startup
 # The features needs to be kept in sync with the keycloak features in helm chart and docker compose
 # Needs to be done after copying the providers
-RUN /opt/bitnami/keycloak/bin/kc.sh build --db=postgres --metrics-enabled true --health-enabled true --http-relative-path "/"
+RUN /opt/keycloak/bin/kc.sh build
+
+FROM quay.io/keycloak/keycloak:${KEYCLOAK_VERSION}
+
+COPY --from=builder /opt/keycloak/ /opt/keycloak/
 
 EXPOSE 8080
 EXPOSE 8443
+
+ENV KC_DB=postgres
+ENV KC_METRICS_ENABLED=true
+ENV KC_HEALTH_ENABLED=true
+ENV KC_HTTP_RELATIVE_PATH="/"
+
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]