In Commit 9ae17fb, file src/common/common.c, line 956; the flags state for rcon_password was changed from CVAR_PRIVATE to CVAR_ARCHIVE.
This is an error. Clients should never save rcon_password.
This also makes rcon_password vulnerable to macro expansion via malicious servers.