u/Few_Caregiver4503

So like 2 weeks ago I identified an access control bypass vulnerability where I can delete users using there UserId, after some hours an intigriti triager downgraded the severity to high, today I was poking around the same web app and found another endpoint (using the same api) where I can submit UserId and get PII, its an access control bypass too because to make the server negligee the session cookie you need to delete a header, now the CVSS should have confidentiality and intigrity as high which makes it a critical finding, I'm not sure if I should add a comment or make a new report even though its the same root cause