Search over 700 indices causes MISSING_PRIVILEGES

after upgrading our Cluster to version 1.6.0 we noticed many security reports in our logs.
They are all caused by one User which is creating search request over 700 indices.
I am not sure if there is any hidden limit in ODFE which could cause this or a bug which do not allow to compare the rights for all indices. I already granted the User full cluster permissions without any luck.

"_index": "security-auditlog-000002",
"_type": "_doc",
"_id": "*BLANKED*",
"_version": 1,
"_score": null,
"_source": {
  "audit_trace_task_parent_id": "*BLANKED*",
  "audit_cluster_name": "odfe-cluster",
  "audit_transport_headers": {
    "_opendistro_security_source_field_context": "*BLANKED*",
    "_opendistro_security_user_header": "*BLANKED*",
    "_opendistro_security_remotecn": "odfe-cluster",
    "_opendistro_security_remote_address_header": "*BLANKED*",
    "_opendistro_security_origin_header": "REST"
  "audit_node_name": "*BLANKED*",
  "audit_trace_task_id": "*BLANKED*",
  "audit_transport_request_type": "ShardSearchRequest",
  "audit_category": "MISSING_PRIVILEGES",
  "audit_request_origin": "REST",
  "audit_node_id": "*BLANKED*",
  "audit_request_layer": "TRANSPORT",
  "@timestamp": "2020-04-28T08:08:48.708+00:00",
  "audit_format_version": 4,
  "audit_request_remote_address": "*BLANKED*",
  "audit_request_privilege": "indices:data/read/search[can_match]",
  "audit_node_host_address": "*BLANKED*",
  "audit_request_effective_user": "*BLANKED*",
  "audit_trace_indices": [
  "audit_trace_resolved_indices": [
  *List of 700 Indices*
  "audit_node_host_name": "*BLANKED*"
"fields": {
  "@timestamp": [
"sort": [

@jakob Did you get this resolved? Are you still running 1.6.0 version?

Um, I am using 1.11.0 and the issue is gone but I am not sure how I/what solved this.