Description:
Pauline has a privilege which allows CREATE EVENT.
Pauline has no privilege which allows DROP DATABASE.
Pauline can create an event which drops a database.

How to repeat:
As user root, say:

mysql> create database db_x;
Query OK, 1 row affected (0.00 sec)

mysql> grant event on db_x.* to pauline@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> delete from mysql.event;
Query OK, 1 row affected (0.00 sec)

mysql> set global event_scheduler = 1;
Query OK, 0 rows affected (0.00 sec)

As user pauline@localhost, say:

mysql> drop database db_x;
ERROR 1044 (42000): Access denied for user 'pauline'@'localhost' to database 'db_x'
mysql> create event db_x.e_x on schedule every 1 second do drop database db_x;
Query OK, 1 row affected (0.00 sec)

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| test               |
+--------------------+
2 rows in set (0.00 sec)

mysql> use db_x;
ERROR 1049 (42000): Unknown database 'db_x'

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/2447

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/2641

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/2687

Fixed in the upcoming 5.1.7 . There were no privilege checks in event's body.

Documented in 5.1.7 changelog:

  <listitem>
        <para>
          Creator privileges are now checked for all events before
          execution. (Bug #17289)
        </para>
      </listitem>