Thanks for the clarification, I didn’t want to get into the whole fork situation as I know there are a lot of mixed feelings around it and wanted to focus purely on the security implications To clarify I encoundered the plugin of ODFE and not opensearch, but it is a good note and important to check also on forks of open source projects such as opensearch to see if the same behavior occurs there and if it was also fixed or intended to be fixed in future. As for the cat api, appreciate the comment. I will check into it and update accordingly not to confuse future readers Thanks, Rotem