An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The LOCALDELETE command bypassed ACL checks. An authenticated but non-admin user could invoke the admin-only LOCALDELETE IMAP command and delete mailboxes for which they had no permissions.
https://www.cyrusimap.org/imap/download/release-notes/index.html
https://www.cyrusimap.org/3.12/imap/download/release-notes/3.12/x/3.12.3.html