Given this was cross tenant access, it would seem to be a Critical issue, but because this was found on the day the service went GA, and thus likely had only a handful of private beta customers, I'm not sure if the severity should be reduced. You would have to know the account numbers of other customers, but that is the only requirement.
On the day it went GA, Ian found you could gain admin access to any other AWS account's Lake Formation. I don't believe this issue is currently listed in. https://twitter.com/iann0036/status/1161871038336028672
Given this was cross tenant access, it would seem to be a Critical issue, but because this was found on the day the service went GA, and thus likely had only a handful of private beta customers, I'm not sure if the severity should be reduced. You would have to know the account numbers of other customers, but that is the only requirement.