Doesn't the max-age parameter[1] restrict a browser from accepting only those previously specified keys for a certain time frame? Therefor newly issued certificates should throw a warning. Otherwise it would be trivial for a MitM'ed sever to deliver their own key hash via a HPKP header. Or am I incorrectly understanding the value of the pinned hash?
You're correct about the header. The part you're missing is that it's entirely possible for the site operator to get a new, unrevoked certificate that uses the same underlying private key issued to themselves by a different (or even the same) CA. Such a certificate would be accepted just fine by browsers which have that key pinned. HPKP pins public keys, not individual certificates.
1: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key...