Test DB sensitive information on source code

Hello guys. I just found a file which has URLs, users and passwords for accessing databases, however just before this info there is a comment that says “#DEMO”, so these databases should be just for testing, then in this case can we say that this is not a vulnerability or is it a clear text sensitive information vulnerability?
In the file there is also a part for “#PRODUCCION” but they have just the URL in there so I assume is no big deal.

anonymous users or internet users could access even testing databases? normally no. so I would report it.