diff --git a/hscontrol/grpcv1.go b/hscontrol/grpcv1.go
index 8f72d2520ee..389198a6e4e 100644
--- a/hscontrol/grpcv1.go
+++ b/hscontrol/grpcv1.go
@@ -659,12 +659,31 @@ func (api headscaleV1APIServer) GetACL(
 	_ context.Context,
 	_ *v1.GetACLRequest,
 ) (*v1.GetACLResponse, error) {
-	acl, err := api.h.db.GetACL()
-	if err != nil {
-		if db.IsNotFoundError(err) {
-			return nil, types.ErrACLPolicyNotFound
+	var (
+		acl *types.ACL
+		err error
+	)
+
+	// Get the ACL from the database or the file, depending on the
+	// configuration. If the ACL is not found, return an error.
+	switch api.h.cfg.ACL.PolicyMode {
+	case types.ACLPolicyModeDB:
+		acl, err = api.h.db.GetACL()
+		if err != nil {
+			if db.IsNotFoundError(err) {
+				return nil, types.ErrACLPolicyNotFound
+			}
+			return nil, err
+		}
+	case types.ACLPolicyModeFile:
+		aclBytes, err := api.h.ACLPolicy.Bytes()
+		if err != nil {
+			return nil, err
+		}
+
+		acl = &types.ACL{
+			Policy: aclBytes,
 		}
-		return nil, err
 	}
 
 	return &v1.GetACLResponse{