diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java
index 3f47c5a360a..a03a29ab138 100644
--- a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java
+++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java
@@ -139,7 +139,8 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
                         filter.add(roleQuery, SHOULD);
                         if (queryShardContext.getMapperService().hasNested()) {
                             // If access is allowed on root doc then also access is allowed on all nested docs of that root document:
-                            BitSetProducer rootDocs = queryShardContext.bitsetFilter(Queries.newNonNestedFilter());
+                            BitSetProducer rootDocs = queryShardContext.bitsetFilter(
+                                    Queries.newNonNestedFilter(queryShardContext.indexVersionCreated()));
                             ToChildBlockJoinQuery includeNestedDocs = new ToChildBlockJoinQuery(roleQuery, rootDocs);
                             filter.add(includeNestedDocs, SHOULD);
                         }