diff -ur libvirt-10.2.0.orig/src/qemu/qemu_command.c libvirt-10.2.0/src/qemu/qemu_command.c
--- libvirt-10.2.0.orig/src/qemu/qemu_command.c	2024-04-03 17:49:34.976744165 +0200
+++ libvirt-10.2.0/src/qemu/qemu_command.c	2024-04-03 17:49:53.468991419 +0200
@@ -8201,6 +8201,10 @@
             virCommandAddEnvPair(cmd, "SASL_CONF_PATH", cfg->vncSASLdir);
 
         /* TODO: Support ACLs later */
+
+        if (cfg->vncACL)
+           virBufferAddLit(&opt, ",acl");
+
     }
 
     if (graphics->data.vnc.powerControl != VIR_TRISTATE_BOOL_ABSENT) {
diff -ur libvirt-10.2.0.orig/src/qemu/qemu_conf.c libvirt-10.2.0/src/qemu/qemu_conf.c
--- libvirt-10.2.0.orig/src/qemu/qemu_conf.c	2024-04-03 17:49:34.976744165 +0200
+++ libvirt-10.2.0/src/qemu/qemu_conf.c	2024-04-03 17:49:53.472991473 +0200
@@ -441,6 +441,8 @@
         return -1;
     if (virConfGetValueBool(conf, "vnc_allow_host_audio", &cfg->vncAllowHostAudio) < 0)
         return -1;
+    if (virConfGetValueBool(conf, "vnc_acl", &cfg->vncACL) < 0)
+        return -1;
 
     if (cfg->vncPassword &&
         strlen(cfg->vncPassword) > 8) {
diff -ur libvirt-10.2.0.orig/src/qemu/qemu_conf.h libvirt-10.2.0/src/qemu/qemu_conf.h
--- libvirt-10.2.0.orig/src/qemu/qemu_conf.h	2024-04-03 17:49:34.980744218 +0200
+++ libvirt-10.2.0/src/qemu/qemu_conf.h	2024-04-03 17:49:53.472991473 +0200
@@ -120,6 +120,7 @@
     bool vncTLSx509verify;
     bool vncTLSx509verifyPresent;
     bool vncSASL;
+    bool vncACL;
     char *vncTLSx509certdir;
     char *vncTLSx509secretUUID;
     char *vncListen;
diff -ur libvirt-10.2.0.orig/src/qemu/qemu.conf.in libvirt-10.2.0/src/qemu/qemu.conf.in
--- libvirt-10.2.0.orig/src/qemu/qemu.conf.in	2024-04-03 17:49:34.976744165 +0200
+++ libvirt-10.2.0/src/qemu/qemu.conf.in	2024-04-03 17:49:53.472991473 +0200
@@ -147,6 +147,15 @@
 #vnc_sasl = 1
 
 
+# Enable the VNC access control lists. When switched on this will
+# initially block all vnc users from accessing the vnc server. To
+# add and remove ids from the ACLs you will need to send the appropriate
+# commands to the qemu monitor as required by your particular version of
+# QEMU. See the QEMU documentation for more details.
+#
+# vnc_acl = 1
+
+
 # The default SASL configuration file is located in /etc/sasl/
 # When running libvirtd unprivileged, it may be desirable to
 # override the configs in this location. Set this parameter to