diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java
index 4a8be69b2a9..a4c3dc3f26d 100644
--- a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java
+++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java
@@ -58,6 +58,7 @@ import org.elasticsearch.index.shard.IndexSearcherWrapper;
 import org.elasticsearch.index.shard.ShardId;
 import org.elasticsearch.index.shard.ShardUtils;
 import org.elasticsearch.license.XPackLicenseState;
+import org.elasticsearch.script.CompiledScript;
 import org.elasticsearch.script.ExecutableScript;
 import org.elasticsearch.script.Script;
 import org.elasticsearch.script.ScriptContext;
@@ -276,7 +277,8 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper {
                 params.put("_user", userModel);
                 // Always enforce mustache script lang:
                 script = new Script(script.getType(), "mustache", script.getIdOrCode(), script.getOptions(), params);
-                ExecutableScript executable = scriptService.executable(script, ScriptContext.Standard.SEARCH);
+                CompiledScript compiledScript = scriptService.compile(script, ScriptContext.Standard.SEARCH);
+                ExecutableScript executable = scriptService.executable(compiledScript, script.getParams());
                 return (BytesReference) executable.run();
             } else {
                 return querySource;
diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapperUnitTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapperUnitTests.java
index 3cc85f2ed79..9d4a7ff3c1e 100644
--- a/plugin/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapperUnitTests.java
+++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapperUnitTests.java
@@ -68,6 +68,7 @@ import org.elasticsearch.index.shard.IndexShard;
 import org.elasticsearch.index.shard.ShardId;
 import org.elasticsearch.indices.TermsLookup;
 import org.elasticsearch.license.XPackLicenseState;
+import org.elasticsearch.script.CompiledScript;
 import org.elasticsearch.script.ExecutableScript;
 import org.elasticsearch.script.Script;
 import org.elasticsearch.script.ScriptContext;
@@ -457,8 +458,10 @@ public class SecurityIndexSearcherWrapperUnitTests extends ESTestCase {
                     }
                 };
 
+        CompiledScript compiledScript = mock(CompiledScript.class);
+        when(scriptService.compile(any(Script.class), eq(ScriptContext.Standard.SEARCH))).thenReturn(compiledScript);
         ExecutableScript executableScript = mock(ExecutableScript.class);
-        when(scriptService.executable(any(Script.class), eq(ScriptContext.Standard.SEARCH))).thenReturn(executableScript);
+        when(scriptService.executable(eq(compiledScript), any())).thenReturn(executableScript);
 
         XContentBuilder builder = jsonBuilder();
         String query = new TermQueryBuilder("field", "{{_user.username}}").toXContent(builder, ToXContent.EMPTY_PARAMS).string();
@@ -469,7 +472,7 @@ public class SecurityIndexSearcherWrapperUnitTests extends ESTestCase {
 
         securityIndexSearcherWrapper.evaluateTemplate(querySource);
         ArgumentCaptor<Script> argument = ArgumentCaptor.forClass(Script.class);
-        verify(scriptService).executable(argument.capture(), eq(ScriptContext.Standard.SEARCH));
+        verify(scriptService).compile(argument.capture(), eq(ScriptContext.Standard.SEARCH));
         Script usedScript = argument.getValue();
         assertThat(usedScript.getIdOrCode(), equalTo(script.getIdOrCode()));
         assertThat(usedScript.getType(), equalTo(script.getType()));