Does the database use the same authentication and permissions as the API? If the API authenticates against the DB with a technical user, it may be still be an exploitable vulnerability for people who can't access the DB directly but can access the API. I don't know what database it is, what other databases run on the same server and what privileges might be achievable or escalatable, but generally "there are worse weaknesses" isn't a solid security policy.

You could give me a VPN access and I'll take a look around :p

(Please don't, actually – in case it needs to be said, running pentests on prod is a dangerously bad idea already even before we get to the whole "trusting a stranger on the Internet just because they sound sorta knowledgeable" issue)