diff --git a/0001-gdm-x-session-Allow-adding-custom-arguments-to-Xorg.patch b/0001-gdm-x-session-Allow-adding-nocursor-argument-to-Xorg.patch
similarity index 68%
rename from 0001-gdm-x-session-Allow-adding-custom-arguments-to-Xorg.patch
rename to 0001-gdm-x-session-Allow-adding-nocursor-argument-to-Xorg.patch
index d85a23a..cd88004 100644
--- a/0001-gdm-x-session-Allow-adding-custom-arguments-to-Xorg.patch
+++ b/0001-gdm-x-session-Allow-adding-nocursor-argument-to-Xorg.patch
@@ -1,51 +1,41 @@
 From e879ecad55b43157122b782039881f7264236f98 Mon Sep 17 00:00:00 2001
 From: Joan Torres Lopez <joantolo@redhat.com>
 Date: Wed, 16 Jul 2025 16:11:22 +0200
-Subject: [PATCH] gdm-x-session: Allow adding custom arguments to Xorg
+Subject: [PATCH] gdm-x-session: Allow adding -nocursor argument to Xorg
 
-Use Command option in xorg section in custom.conf to add custom arguments
+Use NoCursor option in xorg section in custom.conf to add -nocursor argument
 to Xorg.
----
- common/gdm-settings-keys.h |  2 ++
- daemon/gdm-session.c       | 13 +++++++++++--
- daemon/gdm-x-session.c     | 10 +++++++++-
- data/gdm.schemas.in        |  6 ++++++
- 4 files changed, 28 insertions(+), 3 deletions(-)
 
 diff --git a/common/gdm-settings-keys.h b/common/gdm-settings-keys.h
-index 4b3a1ff..ce875eb 100644
+index 4b3a1ff..08015a2 100644
 --- a/common/gdm-settings-keys.h
 +++ b/common/gdm-settings-keys.h
 @@ -59,6 +59,8 @@ G_BEGIN_DECLS
  #define GDM_KEY_WILLING "xdmcp/Willing"
  #define GDM_KEY_ALLOW_MULTIPLE_SESSIONS_PER_USER "xdmcp/AllowMultipleSessionsPerUser"
  
-+#define GDM_KEY_XORG_COMMAND "xorg/Command"
++#define GDM_KEY_XORG_NOCURSOR "xorg/NoCursor"
 +
  #define GDM_KEY_MULTICAST "chooser/Multicast"
  #define GDM_KEY_MULTICAST_ADDR "chooser/MulticastAddr"
  
 diff --git a/daemon/gdm-session.c b/daemon/gdm-session.c
-index e6febeb..77e8023 100644
+index 12ce720..fc871b2 100644
 --- a/daemon/gdm-session.c
 +++ b/daemon/gdm-session.c
-@@ -2945,6 +2945,8 @@ gdm_session_start_session (GdmSession *self,
+@@ -2943,6 +2943,7 @@ gdm_session_start_session (GdmSession *self,
+         gboolean                run_launcher = FALSE;
+         gboolean                allow_remote_connections = FALSE;
+         gboolean                run_separate_bus = FALSE;
++        gboolean                xorg_nocursor = FALSE;
          char                   *command;
          char                   *program;
          gboolean               register_session;
-+        g_autofree char       *xorg_option = NULL;
-+        g_autofree char       *xorg_command = NULL;
- 
-         g_return_if_fail (GDM_IS_SESSION (self));
-         g_return_if_fail (self->session_conversation == NULL);
-@@ -2991,12 +2993,18 @@ gdm_session_start_session (GdmSession *self,
+@@ -2992,12 +2993,15 @@ gdm_session_start_session (GdmSession *self,
                          allow_remote_connections = TRUE;
                  }
  
-+                gdm_settings_direct_get_string (GDM_KEY_XORG_COMMAND, &xorg_option);
-+                if (xorg_option != NULL && *xorg_option != '\0') {
-+                        xorg_command = g_strdup_printf ("--xorg-command \"%s\" ", xorg_option);
-+                }
++                gdm_settings_direct_get_boolean (GDM_KEY_XORG_NOCURSOR, &xorg_nocursor);
 +
                  if (run_launcher) {
                          if (is_x11) {
@@ -54,30 +44,30 @@ index e6febeb..77e8023 100644
                                                             register_session ? "--register-session " : "",
                                                             run_xsession_script? "--run-script " : "",
                                                             allow_remote_connections? "--allow-remote-connections " : "",
-+                                                           xorg_command? xorg_command : "",
++                                                           xorg_nocursor? "--xorg-nocursor " : "",
                                                             command);
                          } else {
                                  program = g_strdup_printf (LIBEXECDIR "/gdm-wayland-session %s\"%s\"",
-@@ -3031,8 +3039,9 @@ gdm_session_start_session (GdmSession *self,
+@@ -3032,8 +3036,9 @@ gdm_session_start_session (GdmSession *self,
                   */
                  if (run_launcher) {
                          if (is_x11) {
 -                                program = g_strdup_printf (LIBEXECDIR "/gdm-x-session %s\"dbus-run-session -- %s\"",
 +                                program = g_strdup_printf (LIBEXECDIR "/gdm-x-session %s%s\"dbus-run-session -- %s\"",
                                                             register_session ? "--register-session " : "",
-+                                                           xorg_command? xorg_command : "",
++                                                           xorg_nocursor ? "--xorg-nocursor " : "",
                                                             self->selected_program);
                          } else {
                                  program = g_strdup_printf (LIBEXECDIR "/gdm-wayland-session %s\"dbus-run-session -- %s\"",
 diff --git a/daemon/gdm-x-session.c b/daemon/gdm-x-session.c
-index 0b07ab5..5e25d77 100644
+index 0b07ab5..c3c9a89 100644
 --- a/daemon/gdm-x-session.c
 +++ b/daemon/gdm-x-session.c
 @@ -197,6 +197,7 @@ out:
  static gboolean
  spawn_x_server (State        *state,
                  gboolean      allow_remote_connections,
-+                const char   *xorg_command,
++                gboolean      nocursor,
                  GCancellable *cancellable)
  {
          GPtrArray           *arguments = NULL;
@@ -86,8 +76,8 @@ index 0b07ab5..5e25d77 100644
                  g_ptr_array_add (arguments, "-core");
          }
 +
-+        if (xorg_command != NULL && *xorg_command != '\0') {
-+                g_ptr_array_add (arguments, (void *)xorg_command);
++        if (nocursor) {
++                g_ptr_array_add (arguments, "-nocursor");
 +        }
 +
          g_ptr_array_add (arguments, NULL);
@@ -97,13 +87,13 @@ index 0b07ab5..5e25d77 100644
          gboolean         ret;
          int              exit_status = EX_OK;
          static gboolean  register_session = FALSE;
-+        static const char *xorg_command = NULL;
++        static gboolean  xorg_nocursor = FALSE;
  
          static GOptionEntry entries []   = {
                  { "run-script", 'r', 0, G_OPTION_ARG_NONE, &run_script, N_("Run program through /etc/gdm/Xsession wrapper script"), NULL },
                  { "allow-remote-connections", 'a', 0, G_OPTION_ARG_NONE, &allow_remote_connections, N_("Listen on TCP socket"), NULL },
                  { "register-session", 0, 0, G_OPTION_ARG_NONE, &register_session, "Register session after a delay", NULL },
-+                { "xorg-command", 0, 0, G_OPTION_ARG_STRING, &xorg_command, "Add extra arguments to Xorg command", NULL },
++                { "xorg-nocursor", 0, 0, G_OPTION_ARG_NONE, &xorg_nocursor, "Add -nocursor argument to Xorg command", NULL },
                  { G_OPTION_REMAINING, 0, 0, G_OPTION_ARG_STRING_ARRAY, &args, "", "" },
                  { NULL }
          };
@@ -112,12 +102,12 @@ index 0b07ab5..5e25d77 100644
          g_unix_signal_add (SIGTERM, (GSourceFunc) on_sigterm, state);
  
 -        ret = spawn_x_server (state, allow_remote_connections, state->cancellable);
-+        ret = spawn_x_server (state, allow_remote_connections, xorg_command, state->cancellable);
++        ret = spawn_x_server (state, allow_remote_connections, xorg_nocursor, state->cancellable);
  
          if (!ret) {
                  g_printerr ("Unable to run X server\n");
 diff --git a/data/gdm.schemas.in b/data/gdm.schemas.in
-index 929d13d..b862887 100644
+index 929d13d..bcf19ba 100644
 --- a/data/gdm.schemas.in
 +++ b/data/gdm.schemas.in
 @@ -144,6 +144,12 @@
@@ -126,11 +116,37 @@ index 929d13d..b862887 100644
      </schema>
 +
 +    <schema>
-+      <key>xorg/Command</key>
-+      <signature>s</signature>
-+      <default></default>
++      <key>xorg/NoCursor</key>
++      <signature>b</signature>
++      <default>false</default>
 +    </schema>
    </schemalist>
  </gdmschemafile>
  
-2.49.0
+diff --git a/docs/C/index.docbook b/docs/C/index.docbook
+index 134b9bc..aaf285e 100644
+--- a/docs/C/index.docbook
++++ b/docs/C/index.docbook
+@@ -1601,6 +1601,22 @@ gdm:.my.domain
+           </varlistentry>
+         </variablelist>
+       </sect3>
++
++      <sect3 id="xorgsection">
++        <title>[xorg]</title>
++        <variablelist>
++          <varlistentry>
++            <term>NoCursor</term>
++            <listitem>
++              <synopsis>NoCursor=true</synopsis>
++              <para>
++                If true the Xorg server launched to start a user session will
++                be have the -nocursor argument.
++              </para>
++            </listitem>
++          </varlistentry>
++        </variablelist>
++      </sect3>
+     </sect2>
+ 
+     <sect2 id="greeterconfiguration">
diff --git a/gdm.spec b/gdm.spec
index 166518e..678622d 100644
--- a/gdm.spec
+++ b/gdm.spec
@@ -11,7 +11,7 @@
 Name: gdm
 Epoch: 1
 Version: 40.1
-Release: 34%{?dist}
+Release: 35%{?dist}
 Summary: The GNOME Display Manager
 
 License: GPLv2+
@@ -83,7 +83,7 @@ Patch99930001: 0001-data-add-system-dconf-databases-to-gdm-profile.patch
 
 Patch99950001: 0001-data-Disable-network-configuration-on-login-screen.patch
 
-Patch99960001: 0001-gdm-x-session-Allow-adding-custom-arguments-to-Xorg.patch
+Patch99960001: 0001-gdm-x-session-Allow-adding-nocursor-argument-to-Xorg.patch
 
 BuildRequires: accountsservice-devel
 BuildRequires: audit-libs-devel >= %{libauditver}
@@ -373,6 +373,12 @@ dconf update || :
 %{_libdir}/pkgconfig/gdm-pam-extensions.pc
 
 %changelog
+* Wed Jul 16 2025 Joan Torres <joantolo@redhat.com> - 40.1-35
+- Instead of allowing adding custom parameters to Xorg,
+  only allow adding -nocursor. Allowing adding custom parameters
+  is a potential security issue.
+  Related: RHEL-81194
+
 * Mon Jul 14 2025 Joan Torres <joantolo@redhat.com> - 40.1-34
 - Allow adding custom parameters to Xorg
   Resolves: RHEL-81194